0.0.1-security • Published 3 years ago

@tilliwilli/npm-lifecycles v0.0.1-security

Weekly downloads
-
License
-
Repository
-
Last release
3 years ago

list of events occur when publishing

  • prepublishOnly
  • prepack
  • prepare
  • postpack
  • publish
  • postpublish

list of events occur when installing from npm registry

  • preinstall
  • install
  • postinstall

list of events occur when installing from file:// protocol (file:///htdocs/test)

  • preinstall
  • prepare
  • install
  • postinstall

list of events occur when installing from http:// protocol (http://localhost:8000/test.tar.gz)

  • preinstall
  • install
  • postinstall

what web server receives from npm i http://localhost:8000/test.tar.gz

┌──(tilli㉿pasakoh)-[/mnt/c/Users/tilli/htdocs/visiology-public-utilities-hack]
└─$ nc -lvnp 8000
listening on [any] 8000 ...
connect to [127.0.0.1] from (UNKNOWN) [127.0.0.1] 48492
GET /test.tar.gz HTTP/1.1
npm-command: install
pacote-pkg-id: remote:xxx@http://localhost:8000/test.tar.gz
pacote-req-type: tarball
pacote-version: 12.0.3
user-agent: npm/8.5.0 node/v16.14.2 win32 x64 workspaces/false
if-modified-since: Sun, 10 Apr 2022 12:48:38 GMT
connection: keep-alive
Accept: */*
Accept-Encoding: gzip,deflate
Host: localhost:8000

listening server

while true; do sudo nc -N -lvnp 80 < response.json >> output; done

response.json

HTTP/1.1 200 OK    
Connection: close  
                   
{"result":"ok"}    
                   

extract request payload

grep Auth output | awk '{print $3}' | base64 -d | less
grep Auth output | head -n 3 | tail -n 1 | awk '{print $3}' | ./extract.js | less

investigate more

links

https://docs.npmjs.com/cli/v8/using-npm/scripts#life-cycle-scripts https://docs.npmjs.com/cli/v8/configuring-npm/package-json#scripts

0.0.1-security

3 years ago

1.0.8

3 years ago

1.0.7

3 years ago

1.0.6

3 years ago

1.0.5

3 years ago

1.0.4

3 years ago

1.0.3

3 years ago

1.0.2

3 years ago

1.0.1

3 years ago

1.0.0

3 years ago