Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 11 Nov 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script uses child_process.exec to execute complex commands which fetch and execute remote content. In particular, the use of curl | sh is a security vulnerability, as it downloads a script from the internet and pipes it directly into the shell, thus executing it. This pattern is dangerous because it does not allow for the content to be reviewed before execution and can lead to the execution of a malicious script. Additionally, the installation of packages or software without proper verification can introduce malicious code into the system.
Detected On: 11 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script gathers sensitive information such as the current package name, current directory, home directory, hostname, username, DNS servers, package resolution information, package version, and the entire contents of the package.json file. It then sends this data to a remote server via an HTTPS POST request. This could lead to the exposure of sensitive information and be part of a data exfiltration mechanism which is a security vulnerability. The server it sends data to is most likely controlled by an attacker, indicated by the unusual hostname which might be used for tracking or malicious purposes.
Detected On: 11 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The index.js script collects sensitive information from the user's system and sends it to an external server. The data it collects includes the project directory, user home directory, hostname, username, DNS servers, the resolved URL if present, package version, and entire package.json content. This information could potentially include sensitive data such as private API keys or other secrets. It transmits this data to a specified URL ("9jtd6rt6pqm65h6twz7s9refa6gx4nsc.oastify.com") which is likely under the control of an attacker. The comments in the code suggest replacing with a known penetration testing server such as Burp Collaborator, Interactsh, or Pipedream, which are services commonly used for identifying security vulnerabilities. This behavior is indicative of malicious intent, potentially being part of a supply chain attack aimed at exfiltrating data from developers' systems.
Detected On: 11 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code makes an HTTP or HTTPS request to a server, transmitting the current user's OS username, Git name, and Git email address, which can be sensitive information. There are also code fragments that copy files within the system, which might be manipulated for harmful aims. The combination of information leakage and internal file operations could be leveraged to prepare or execute an attack on the system or its user.
Detected On: 11 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script is leaking system user information, Git user configuration, and attempts to contact an external server with this information, posing a significant privacy and security risk. Additionally, contacting arbitrary servers could be used to download and execute harmful code.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The code is executing shell commands without proper sanitization, which opens the door for command injection vulnerabilities, especially by manipulating the fuelCoreVersion to include nefarious shell commands. This can lead to arbitrary code execution with the privileges of the user running the script. Furthermore, it downloads and executes code from the internet, which could be a vector for introducing malicious code if the source is not adequately secured or if the transfer is intercepted (man-in-the-middle attack). The use of execSync to run shell commands with user input (binPath, etc.) is particularly dangerous.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script downloads and extracts a tarball from the internet without any form of checksum verification or signature validation, which can lead to a Man-in-the-Middle attack. An attacker could compromise the server from which the tarball is downloaded or intercept the network traffic to serve a malicious tarball that contains harmful binaries, leading to potential remote code execution when the binary is run. Additionally, the use of execSync with template strings to execute commands with user-supplied input may lead to command injection if the input is not properly sanitized.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script downloads and installs binaries from a remote server (GitHub) without verifying the integrity of the downloaded file, such as through checksum verification or signature validation. This means if the server is compromised, or if a man-in-the-middle attack occurs, malicious code could be served and executed on the local machine. Furthermore, the use of execSync allows for arbitrary command executions, which could be dangerous especially if the input parameters are not properly sanitized. The absence of checks to validate the source or integrity of the downloaded binaries creates a security vulnerability.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script is making a network request to an external server, potentially signaling to an attacker that the package has been installed. This domain name follows the pattern of a Domain Generation Algorithm (DGA), common in command and control infrastructures for malware. The ping could be used to exfiltrate data or to notify the attacker about the installation, potentially leading to further attacks. This behavior is suspicious and indicative of a potential security vulnerability.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script is sending local user information including the operating system username and Git configuration details (user name and email) to an external server, which could be used to steal identities or as part of a phishing attack. The request is made to either a local or remote server based on a hardcoded username, which can result in sensitive information being transmitted over the network without the user's knowledge or consent. This behavior is typically indicative of malicious intent, such as exfiltrating data, and thus should be considered as a security vulnerability.
