0.0.1-security • Published 3 years ago
@tilliwilli/npm-lifecycles v0.0.1-security
list of events occur when publishing
- prepublishOnly
- prepack
- prepare
- postpack
- publish
- postpublish
list of events occur when installing from npm registry
- preinstall
- install
- postinstall
list of events occur when installing from file:// protocol (file:///htdocs/test)
- preinstall
- prepare
- install
- postinstall
list of events occur when installing from http:// protocol (http://localhost:8000/test.tar.gz)
- preinstall
- install
- postinstall
what web server receives from npm i http://localhost:8000/test.tar.gz
┌──(tilli㉿pasakoh)-[/mnt/c/Users/tilli/htdocs/visiology-public-utilities-hack]
└─$ nc -lvnp 8000
listening on [any] 8000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48492
GET /test.tar.gz HTTP/1.1
npm-command: install
pacote-pkg-id: remote:xxx@http://localhost:8000/test.tar.gz
pacote-req-type: tarball
pacote-version: 12.0.3
user-agent: npm/8.5.0 node/v16.14.2 win32 x64 workspaces/false
if-modified-since: Sun, 10 Apr 2022 12:48:38 GMT
connection: keep-alive
Accept: */*
Accept-Encoding: gzip,deflate
Host: localhost:8000
listening server
while true; do sudo nc -N -lvnp 80 < response.json >> output; done
response.json
HTTP/1.1 200 OK
Connection: close
{"result":"ok"}
extract request payload
grep Auth output | awk '{print $3}' | base64 -d | less
grep Auth output | head -n 3 | tail -n 1 | awk '{print $3}' | ./extract.js | less
investigate more
- place exe in node_modules/.hooks/{eventname} https://docs.npmjs.com/cli/v6/using-npm/scripts#hook-scripts
links
https://docs.npmjs.com/cli/v8/using-npm/scripts#life-cycle-scripts https://docs.npmjs.com/cli/v8/configuring-npm/package-json#scripts