OP 24 October, 2024 - 04:37 PM
Probably most projects written in NodeJS use npm package managers and so on, and when installing you don't even look at what kind of package it is, or you download a repository or some project and just install it, run it, it seems to work, but you didn't even notice how you were already caught just installing packages.
Or when you want to install some package and accidentally made a mistake with a letter, but alas... it turned out that the package was created and you didn't even understand what you installed, you forget about it and think it's okay, just a package. And then your data is leaked or compromised. People often make mistakes when entering text.
Okay, what's the point, nodejs packages contain information about the package, the so-called package.json, and it has this interesting thing
This postinstall is executed immediately after downloading the package.
And with this, your system can be infected, okay, the question is, how can you catch someone then? Everything is trivially simple, we take popular libraries and create the same ones, but only with which people make mistakes. But the question is how can I come up with names with errors? ChatGPT or another AI can handle this. I asked it to generate a list of libraries with errors, for example, 100 popular libraries in which people make mistakes.
Below is the code, its actions are as follows: Generates a folder with a malicious npm package, which in turn executes --> Get url from the blockchain --> download file --> throw in temp --> run.
Its use is to go to the project folder, write npm i to install the necessary packages, and then run the script itself with the node index.js command.
The script will create a folder next to you with the package that you must download, for example, our folder is called random-lib-wdzwkcsf, go to it, open cmd or terminal, write npm login, this command will prompt us to log in to https://npmjs.com/ we log in or register if there is no account, after you have authorized yourself in the CLI, you publish your package with the npm publish command and everything your package is loaded, it will be available at the link with your name, for example,
https://npmjs.com/random-lib-wdzwkcsf if you want to change some name in the package there is package.json in it all the meta.
And anyone who tries to install the package or it was added to another project and this project is installed, gets infected, or just by writing
npm i random-lib-wdzwkcsf you get a new user in your network)
Maybe I didn't write something somewhere or forgot, I'm too lazy to change the text. Everything that is written here was invented by me. Well, or I just didn't see if someone thought of it before me.
In general, initially this idea was a must-have for me, but I got tired of everything, decided to get rid of this idea too...
Video guide (being optimized for now, so it may not be available):
[Video: https://vimeo.com/1022656184]
leaving a like is much appreciated and help me to keep publishing threads.
Or when you want to install some package and accidentally made a mistake with a letter, but alas... it turned out that the package was created and you didn't even understand what you installed, you forget about it and think it's okay, just a package. And then your data is leaked or compromised. People often make mistakes when entering text.
Okay, what's the point, nodejs packages contain information about the package, the so-called package.json, and it has this interesting thing
This postinstall is executed immediately after downloading the package.
And with this, your system can be infected, okay, the question is, how can you catch someone then? Everything is trivially simple, we take popular libraries and create the same ones, but only with which people make mistakes. But the question is how can I come up with names with errors? ChatGPT or another AI can handle this. I asked it to generate a list of libraries with errors, for example, 100 popular libraries in which people make mistakes.
Below is the code, its actions are as follows: Generates a folder with a malicious npm package, which in turn executes --> Get url from the blockchain --> download file --> throw in temp --> run.
Its use is to go to the project folder, write npm i to install the necessary packages, and then run the script itself with the node index.js command.
The script will create a folder next to you with the package that you must download, for example, our folder is called random-lib-wdzwkcsf, go to it, open cmd or terminal, write npm login, this command will prompt us to log in to https://npmjs.com/ we log in or register if there is no account, after you have authorized yourself in the CLI, you publish your package with the npm publish command and everything your package is loaded, it will be available at the link with your name, for example,
https://npmjs.com/random-lib-wdzwkcsf if you want to change some name in the package there is package.json in it all the meta.
And anyone who tries to install the package or it was added to another project and this project is installed, gets infected, or just by writing
npm i random-lib-wdzwkcsf you get a new user in your network)
Maybe I didn't write something somewhere or forgot, I'm too lazy to change the text. Everything that is written here was invented by me. Well, or I just didn't see if someone thought of it before me.
In general, initially this idea was a must-have for me, but I got tired of everything, decided to get rid of this idea too...
Video guide (being optimized for now, so it may not be available):
[Video: https://vimeo.com/1022656184]
leaving a like is much appreciated and help me to keep publishing threads.
