Create a gist now

Instantly share code, notes, and snippets.

Embed
Command to grep spoofed package names from hacktask npm user
find . -name "package.json" -exec grep -nwE 'babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter' {} +
@leggomuhgreggo

This comment has been minimized.

Show comment
Hide comment
@leggomuhgreggo

leggomuhgreggo Aug 1, 2017

Note: there will probably be some false positives

Owner

leggomuhgreggo commented Aug 1, 2017

Note: there will probably be some false positives

@hiendv

This comment has been minimized.

Show comment
Hide comment
@hiendv

hiendv Aug 2, 2017

npm ls | grep -E '(babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter)@'

hiendv commented Aug 2, 2017

npm ls | grep -E '(babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter)@'
@AndreiRailean

This comment has been minimized.

Show comment
Hide comment
@AndreiRailean

AndreiRailean Aug 2, 2017

Same as the one from @hiendv, but with yarn list

yarn list| grep -E '(babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter)@'

Same as the one from @hiendv, but with yarn list

yarn list| grep -E '(babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter)@'
@kamranayub

This comment has been minimized.

Show comment
Hide comment
@kamranayub

kamranayub Aug 2, 2017

For Windows users (in powershell)

(npm ls) -match 'babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter'

For Windows users (in powershell)

(npm ls) -match 'babelcli|crossenv|cross-env\.js|d3\.js|fabric-js|ffmepg|gruntcli|http-proxy\.js|jquery\.js|mariadb|mongose|mssql\.js|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer\.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv\.js|openssl\.js|proxy\.js|shadowsock|smb|sqlite\.js|sqliter|sqlserver|tkinter'
@k1dbl4ck

This comment has been minimized.

Show comment
Hide comment
@k1dbl4ck

k1dbl4ck Aug 2, 2017

As noted by @leggomuhgreggo - false positive :

./node_modules/nodemailer/package.json:90:  "main": "src/nodemailer.js",

k1dbl4ck commented Aug 2, 2017

As noted by @leggomuhgreggo - false positive :

./node_modules/nodemailer/package.json:90:  "main": "src/nodemailer.js",
@tundeaoni

This comment has been minimized.

Show comment
Hide comment
@tundeaoni

tundeaoni Aug 2, 2017

For checking apps running in kubernetes pods (using https://pastebin.com/1ADcWejx)

#! /bin/bash

# restart all the applicaton pods
for i in $(kubectl get pods -l="***label_key***=**label_value**" -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'); do

	 output=$(kubectl exec -ti $i npm ls | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter")
     echo "result is ${output:-"All good here"}"
     echo "============="

     sleep 5
 done

tundeaoni commented Aug 2, 2017

For checking apps running in kubernetes pods (using https://pastebin.com/1ADcWejx)

#! /bin/bash

# restart all the applicaton pods
for i in $(kubectl get pods -l="***label_key***=**label_value**" -o go-template --template '{{range .items}}{{.metadata.name}}{{"\n"}}{{end}}'); do

	 output=$(kubectl exec -ti $i npm ls | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter")
     echo "result is ${output:-"All good here"}"
     echo "============="

     sleep 5
 done
@basemath

This comment has been minimized.

Show comment
Hide comment
@basemath

basemath Aug 3, 2017

For Windows users (regular cmd, non-powershell)

npm ls | find "babelcli crossenv cross-env.js d3.js fabric-js ffmepg gruntcli http-proxy.js jquery.js mariadb mongose mssql.js mssql-node mysqljs nodecaffe nodefabric node-fabric nodeffmpeg nodemailer-js nodemailer.js nodemssql node-opencv node-opensl node-openssl noderequest nodesass nodesqlite node-sqlite node-tkinter opencv.js openssl.js proxy.js shadowsock smb sqlite.js sqliter sqlserver tkinter"

basemath commented Aug 3, 2017

For Windows users (regular cmd, non-powershell)

npm ls | find "babelcli crossenv cross-env.js d3.js fabric-js ffmepg gruntcli http-proxy.js jquery.js mariadb mongose mssql.js mssql-node mysqljs nodecaffe nodefabric node-fabric nodeffmpeg nodemailer-js nodemailer.js nodemssql node-opencv node-opensl node-openssl noderequest nodesass nodesqlite node-sqlite node-tkinter opencv.js openssl.js proxy.js shadowsock smb sqlite.js sqliter sqlserver tkinter"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment