Skip to content

Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration

License

Notifications You must be signed in to change notification settings

firefart/hijagger

Repository files navigation

hijagger - check package registries for hijackable packages

This tool checks every maintainer from every package in the NPM and Python Pypi registry for unregistered domains or unregistered MX records on those domains. If a domain is unregistered you can grab the domain and initiate a password reset on the account if it has no 2 factor auth enabled. This enables you to hijack a package and do whatever you want with it.

Please do not use it for illegal purposes, only use it to check packages and submit them to bug bounty programs.

NPM

I contacted the NPM security team about this but they are not interested in this kind of vulnerability.

Please also note that the returned maintainers returned from the API not always reflect the real maintainers but often you can get lucky.

Usage

Download the package index first! This can take a long time as the server is extremely slow (takes more than 30 mins):

wget https://skimdb.npmjs.com/registry/_all_docs

After this simply run the tool with ./hijagger npm. To see all options use the --help switch. The output is automatically saved to output.txt too. This tool will most probably run multiple days due to the high number of packages.

To easily find hits in the output, grep for HIT. The coloring is based on the number of downloads during the last year of the package.

The tool does a lot of DNS and whois requests so I suggest running this tool from a dedicated server to not risk having your private ip blocked.

Pypi

This mode works exactly the same as the NPM mode, but the pypi api does not return the number of downloads for a package. This data is only available via google bigquery but this complicates things a lot so download counters and colors based on downloads are not implemented on Pypi packages.

Usage

./hijagger pypi

About

Checks all maintainers of all NPM and Pypi packages for hijackable packages through domain re-registration

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published