cloudsmith-malware-poc 0.1.1783545312

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md ADDED
@@ -0,0 +1,117 @@
1
+ # Cloudsmith Malware PoC — Publisher Demo
2
+
3
+ **Educational demo only.** This repo publishes a deliberately malicious npm package to [Cloudsmith `georgian/georgian-test`](https://app.cloudsmith.com/georgian/r/georgian-test) so you can test vulnerability scanning, malware detection, and EPM policy enforcement.
4
+
5
+ ## What the payload does
6
+
7
+ On `npm install`, `postinstall.js`:
8
+
9
+ 1. Opens Calculator (obvious visual trigger)
10
+ 2. Lists **environment variable names only** (never values)
11
+ 3. Logs a **fake exfil report** addressed to `giovanni.galeacurmi@georgian.io` — metadata only, no network call, no secrets sent
12
+
13
+ ## Cloudsmith target
14
+
15
+ | Setting | Value |
16
+ |---------|-------|
17
+ | Org | `georgian` |
18
+ | Repository | `georgian-test` |
19
+ | Registry URL | `https://npm.cloudsmith.io/georgian/georgian-test/` |
20
+ | Package name | `cloudsmith-malware-poc` |
21
+
22
+ ## One-time setup
23
+
24
+ ### 1. Cloudsmith permissions
25
+
26
+ The service account API key needs **write** access to `georgian/georgian-test`. In Cloudsmith:
27
+
28
+ 1. Open [georgian-test](https://app.cloudsmith.com/georgian/r/georgian-test) → **Privileges**
29
+ 2. Grant the service account **Write** (or Admin)
30
+
31
+ ### 2. GitHub secret
32
+
33
+ In this repo → **Settings → Secrets → Actions**, add:
34
+
35
+ | Secret | Value |
36
+ |--------|-------|
37
+ | `CLOUDSMITH_API_KEY` | Service account API key (`csa_...`) |
38
+
39
+ ### 3. Enable enforcement (optional but recommended for blocking demo)
40
+
41
+ Scans run automatically on upload. **Blocking** requires EPM policies:
42
+
43
+ 1. Enable **Continuous Security** on `georgian-test`
44
+ 2. Enable **Enterprise Policy Management (EPM)**
45
+ 3. Add a **Malicious Package** policy (OSV/OpenSSF) — catches known-bad packages
46
+ 4. Add a **Cooldown** policy (e.g. quarantine packages published in last 14 days) — catches your custom zero-day demo
47
+
48
+ Without EPM, the package uploads and scans appear in the UI, but `npm install` still succeeds.
49
+
50
+ ## Run the demo
51
+
52
+ ### Local publish (quick test)
53
+
54
+ **Cloudsmith direct** — needs a valid Cloudsmith API key with Write on `georgian-test`:
55
+
56
+ ```bash
57
+ chmod +x publish-local.sh npm-login-cloudsmith.sh
58
+ ./publish-local.sh
59
+ # If E401: regenerate API key in Cloudsmith, update .env, then either:
60
+ # ./npm-login-cloudsmith.sh (username: token, password: API key)
61
+ # or fix CLOUDSMITH_SERVICE_ACCOUNT_KEY in .env
62
+ ```
63
+
64
+ **npm upstream** — uses your npmjs login (`npm adduser --registry https://registry.npmjs.org/`):
65
+
66
+ ```bash
67
+ chmod +x publish-local-npm.sh
68
+ ./publish-local-npm.sh
69
+ ```
70
+
71
+ **Install via Cloudsmith** (needs auth — bare `npm install --registry ...` will E401):
72
+
73
+ ```bash
74
+ chmod +x install-via-cloudsmith.sh
75
+ ./install-via-cloudsmith.sh
76
+ ```
77
+
78
+ ### Refresh GitHub secret after key change
79
+
80
+ ```bash
81
+ source ../gh-actions-supply-chain-demo/.env
82
+ gh secret set CLOUDSMITH_API_KEY --body "$CLOUDSMITH_SERVICE_ACCOUNT_KEY" \
83
+ -R lullu57/gh-actions-demo-cloudsmith-malware
84
+ gh secret set CLOUDSMITH_API_KEY --body "$CLOUDSMITH_SERVICE_ACCOUNT_KEY" \
85
+ -R lullu57/gh-actions-demo-cloudsmith-consumer
86
+ ```
87
+
88
+ ### CI publish
89
+
90
+ Push to `main` or trigger **publish to Cloudsmith** manually. Each run publishes `0.1.<run_number>`.
91
+
92
+ ### Verify in Cloudsmith
93
+
94
+ 1. Open [georgian-test packages](https://app.cloudsmith.com/georgian/r/georgian-test/packages/)
95
+ 2. Find `cloudsmith-malware-poc`
96
+ 3. Check **Security** tab for ClamAV / vulnerability scan results
97
+ 4. If EPM is enabled, check quarantine state
98
+
99
+ ### Consumer test
100
+
101
+ Use the sibling repo [`gh-actions-demo-cloudsmith-consumer`](../gh-actions-demo-cloudsmith-consumer) to install this package through Cloudsmith in CI.
102
+
103
+ ## What Cloudsmith will (and won't) catch
104
+
105
+ | Detection | Custom demo package | Known malicious (OSV) |
106
+ |-----------|--------------------|-----------------------|
107
+ | Vuln scan (CVEs) | Only if deps have CVEs | N/A |
108
+ | ClamAV | Maybe — don't rely on it | Maybe |
109
+ | OSV malicious feed | **No** (not in database) | **Yes** (with EPM policy) |
110
+ | Cooldown policy | **Yes** (if newly published) | **Yes** |
111
+
112
+ **Demo arc:** publish without EPM (install works) → enable cooldown policy → republish → consumer CI blocked.
113
+
114
+ ## Related
115
+
116
+ - Orchestrator: [gh-actions-supply-chain-demo](https://github.com/lullu57/gh-actions-supply-chain-demo)
117
+ - Consumer: [gh-actions-demo-cloudsmith-consumer](https://github.com/lullu57/gh-actions-demo-cloudsmith-consumer)
package/index.js ADDED
@@ -0,0 +1,7 @@
1
+ // Legitimate entry point — does nothing harmful on require().
2
+ // The demo payload runs via postinstall when a consumer runs `npm install`.
3
+
4
+ module.exports = {
5
+ name: 'cloudsmith-malware-poc',
6
+ purpose: 'Cloudsmith supply-chain security demo — see README.md',
7
+ };
package/package.json ADDED
@@ -0,0 +1,25 @@
1
+ {
2
+ "name": "cloudsmith-malware-poc",
3
+ "version": "0.1.1783545312",
4
+ "description": "EDUCATIONAL DEMO ONLY — blatant supply-chain malware payload for testing Cloudsmith detection and policy enforcement. Do NOT use in production.",
5
+ "keywords": [
6
+ "demo",
7
+ "security",
8
+ "supply-chain",
9
+ "cloudsmith",
10
+ "education"
11
+ ],
12
+ "license": "MIT",
13
+ "main": "index.js",
14
+ "files": [
15
+ "index.js",
16
+ "postinstall.js"
17
+ ],
18
+ "scripts": {
19
+ "postinstall": "node postinstall.js"
20
+ },
21
+ "repository": {
22
+ "type": "git",
23
+ "url": "https://github.com/lullu57/gh-actions-demo-cloudsmith-malware"
24
+ }
25
+ }
package/postinstall.js ADDED
@@ -0,0 +1,50 @@
1
+ // DEMO PAYLOAD — runs on `npm install`. Intentionally blatant for security testing.
2
+ // Does NOT transmit secret values. Does NOT send real email.
3
+
4
+ 'use strict';
5
+
6
+ const { exec } = require('child_process');
7
+ const os = require('os');
8
+
9
+ const DEMO_EMAIL = 'giovanni.galeacurmi@georgian.io';
10
+ const MARKER = '[cloudsmith-malware-poc]';
11
+
12
+ function openCalculator() {
13
+ const cmd =
14
+ process.platform === 'darwin'
15
+ ? 'open -a Calculator'
16
+ : process.platform === 'win32'
17
+ ? 'calc.exe'
18
+ : 'gnome-calculator 2>/dev/null || xcalc 2>/dev/null || true';
19
+ exec(cmd);
20
+ }
21
+
22
+ function enumerateEnvKeyNames() {
23
+ return Object.keys(process.env).sort();
24
+ }
25
+
26
+ function fakeExfilMetadata(keyNames) {
27
+ // Log only — no network call, no secret values, no real email delivery.
28
+ const report = {
29
+ to: DEMO_EMAIL,
30
+ hostname: os.hostname(),
31
+ platform: process.platform,
32
+ nodeVersion: process.version,
33
+ keyCount: keyNames.length,
34
+ keyNames,
35
+ note: 'DEMO — metadata only, no secret values transmitted',
36
+ timestamp: new Date().toISOString(),
37
+ };
38
+ console.log(`${MARKER} FAKE EXFIL (demo only):`, JSON.stringify(report, null, 2));
39
+ }
40
+
41
+ try {
42
+ openCalculator();
43
+ const keyNames = enumerateEnvKeyNames();
44
+ console.log(`${MARKER} env key names (${keyNames.length}):`, keyNames.join(', '));
45
+ fakeExfilMetadata(keyNames);
46
+ console.log(`${MARKER} postinstall complete — this is an EDUCATIONAL demo.`);
47
+ console.log(`${MARKER} see https://github.com/lullu57/gh-actions-demo-cloudsmith-malware`);
48
+ } catch (err) {
49
+ console.error(`${MARKER} demo payload error:`, err.message);
50
+ }