Description
An npm stream compromised dependencies long ago. Help us recover what this script is hiding.
Solution
If we extract he ExploitedStream.zip file we only found one file: exploitedstream.js
exploitedstream.js is a javascript obfuscated file.
The first thing I have to say is that I have no idea about javascript, but this is a easy challenge.
This challenge is very interesting because it’s based on a real case: Analysis of a Supply Chain Attack
The first thing we have to do is deobfuscate the script. Once deobfuscated we will find an interesting note “for future me” ;)
Once we have read the note we will need a list with all the npm package names in order to bruteforce the password and get the flag and the correct package name.
We can find a list of all the npm package names in all-the-package-names. So, now, we only have to do a loop to bruteforce the password and wait for our flag.
To solve this challenge I deobfuscated the original script and added the loop to bruteforce the flag. You can see my js file at exploitedstream_deobfuscated.js
ExploitedStream has been Pwned
Enjoy! ;)