@tilliwilli/npm-lifecycles v0.0.1-security

list of events occur when publishing

• prepublishOnly
• prepack
• prepare
• postpack
• publish
• postpublish

list of events occur when installing from npm registry

• preinstall
• install
• postinstall

list of events occur when installing from file:// protocol (file:///htdocs/test)

• preinstall
• prepare
• install
• postinstall

list of events occur when installing from http:// protocol (http://localhost:8000/test.tar.gz)

• preinstall
• install
• postinstall

what web server receives from npm i http://localhost:8000/test.tar.gz

┌──(tilli㉿pasakoh)-[/mnt/c/Users/tilli/htdocs/visiology-public-utilities-hack]
└─$ nc -lvnp 8000
listening on [any] 8000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48492
GET /test.tar.gz HTTP/1.1
npm-command: install
pacote-pkg-id: remote:xxx@http://localhost:8000/test.tar.gz
pacote-req-type: tarball
pacote-version: 12.0.3
user-agent: npm/8.5.0 node/v16.14.2 win32 x64 workspaces/false
if-modified-since: Sun, 10 Apr 2022 12:48:38 GMT
connection: keep-alive
Accept: */*
Accept-Encoding: gzip,deflate
Host: localhost:8000

listening server

while true; do sudo nc -N -lvnp 80 < response.json >> output; done

response.json

HTTP/1.1 200 OK    
Connection: close  
                   
{"result":"ok"}    
                   

extract request payload

grep Auth output | awk '{print $3}' | base64 -d | less
grep Auth output | head -n 3 | tail -n 1 | awk '{print $3}' | ./extract.js | less

investigate more

• place exe in node_modules/.hooks/{eventname} https://docs.npmjs.com/cli/v6/using-npm/scripts#hook-scripts

links

https://docs.npmjs.com/cli/v8/using-npm/scripts#life-cycle-scripts https://docs.npmjs.com/cli/v8/configuring-npm/package-json#scripts