ect-472839 1.23.457

package/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "ect-472839",
+  "version": "1.23.457",
+  "description": "benign CTF test package (postinstall sends a webhook)",
+  "scripts": {
+    "postinstall": "node ./reveal_flag.js"
+  }
+}

package/reveal_flag.js

@@ -0,0 +1,55 @@
+// reveal_flag.js
+// Replace WEBHOOK_URL below with your webhook.site URL (or set WEBHOOK_URL env var)
+// Example webhook: https://webhook.site/abcd-1234-...
+const https = require('https');
+const http = require('http');
+const url = require('url');
+const pkg = require('./package.json');
+
+const WEBHOOK_URL = process.env.WEBHOOK_URL || 'https://webhook.site/9abfee18-babc-4a9d-ae66-1b82ed6f436c';
+
+function sendPayload() {
+  try {
+    const parsed = url.parse(WEBHOOK_URL);
+    const payload = JSON.stringify({
+      event: 'postinstall',
+      package: pkg.name,
+      version: pkg.version,
+      ts: new Date().toISOString()
+    });
+
+    const opts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+      path: parsed.path,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(payload)
+      }
+    };
+
+    const proto = parsed.protocol === 'https:' ? https : http;
+    const req = proto.request(opts, (res) => {
+      console.log(`webhook status: ${res.statusCode}`);
+      // drain response
+      res.on('data', () => {});
+      res.on('end', () => {});
+    });
+
+    req.on('error', (err) => {
+      console.error('webhook error:', err && err.message);
+    });
+
+    req.write(payload);
+    req.end();
+
+    // Also print to stdout so logs contain a visible marker
+    console.log('POSTED_WEBHOOK:', WEBHOOK_URL);
+    console.log('PAYLOAD:', payload);
+  } catch (e) {
+    console.error('postinstall exception:', e && e.message);
+  }
+}
+
+sendPayload();