Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code is designed to collect sensitive information about the system where it's executed and send this data to a remote server. It extracts the package name, current directory, user's home directory, hostname, username, DNS servers, package resolution details, and the version of a package from package.json. This data is then POSTed to a remote server, which indicates a potential data exfiltration vulnerability. The remote server domain looks suspicious and could be associated with a Command and Control server or a data collection point set up by an attacker to gather stolen data.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code is designed to collect sensitive information from the system running it and send the data to a remote server. It collects the package name, directory, user's home directory, hostname, username, DNS servers, and other package information, then encodes it and sends it via HTTPS POST request to a potentially malicious hostname, indicated by the use of a suspicious domain that suggests it is intended for capturing data (OAST - Out of Band Application Security Testing). This action can leak sensitive information and compromise system and user privacy.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script downloads and extracts a tar.gz file from the internet based on a version number found in the environment. It then executes the --version command on the downloaded binary without prior verification of the integrity or authenticity of the binary. This can lead to remote code execution if an attacker can trick the system into downloading a malicious binary, for example, by tampering with the version number or intercepting the download request (a Man-in-the-Middle attack). There is no checksum verification to ensure that the downloaded package is the intended one, which is a common security measure to prevent such attacks.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script downloads and executes a binary from an external source without any verification of the source's authenticity or the integrity of the file. This creates a risk that malicious code could be served from a compromised or malicious repository, which could potentially lead to arbitrary code execution on the local system. Specifically, the package URL https://github.com/FuelLabs/sway/releases/download/v${forcVersion}/${pkgName} assumes the file is legitimate and secure, but there is no signature verification process in place to ensure the downloaded file hasn't been tampered with. The use of execSync to execute arbitrary shell commands with the downloaded binary also presents a risk, as it could execute harmful commands if the binary is malicious.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script is designed to download a binary package from the internet based on the version specified in a VERSION file or through some external input, extract it, and execute the binary to check its version. The use of execSync with template literals can pose a command injection risk if the binPath or pkgPath includes untrusted or manipulated input. Additionally, there's no checksum verification for the downloaded package, leaving the system vulnerable to a Man-in-The-Middle (MITM) attack where an attacker could potentially serve a malicious package instead of the intended one. The script automatically executes commands and writes files with the privileges of the current user, which could easily be exploited if any of these steps are compromised.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The code downloads a file from the internet and extracts its content without proper validation of the source or the content. The fetch function downloads a package from a given URL, which appears to be a GitHub releases link for forc-binaries. Then, it uses execSync to extract the package into the binDir directory. Additionally, the same execSync method is used to check the version of an existing binary, which could potentially include malicious code execution if the version output is altered.
This can be exploited if an attacker gains control of the URL from which the package is fetched or the repository it is hosted in, or if they manage to inject a malicious package into the download process. The use of execSync can also lead to remote code execution if unsanitized input is passed to it.
Since the script executes without verifying the integrity of the downloaded file (e.g., by checking a cryptographic signature), it opens up a possibility for a supply chain attack where the binary could be replaced by a malicious one, which would then be executed with the same privileges as the current user.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The code allows for arbitrary code execution because it constructs command strings using potentially unsanitized input (fuelCoreVersion, pkgPlatform) and executes them with execSync, which can lead to remote code execution if the input is crafted maliciously. It also downloads and installs binaries from an external source without verifying their integrity, which could lead to installation of malicious binaries if the external source is compromised.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The install.js script fetches a package from a remote URL and runs shell commands on the system without any validation or integrity checking. This poses a severe risk as it could be exploited to download and execute malicious code. The use of execSync can lead to remote command execution if the inputs are not properly sanitized. The URLs and inputs should be sanitized and verified, ideally with cryptographic signatures, to prevent tampering and ensure the legitimacy of the files being executed.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script has several security vulnerabilities:
It runs execSync with interpolated input (${binPath} --version), which could lead to command injection if binPath is somehow controlled by an attacker or manipulated to include malicious commands.
It fetches and writes a file from a URL constructed from user input without validation (pkgUrl) and then directly executes a tar command to extract it, which could lead to a supply chain attack by downloading and executing malicious code if the URL is compromised or spoofed.
There's no checksum validation of the downloaded package, making it susceptible to a man-in-the-middle (MITM) attack where an attacker could replace the binary with a malicious one.
There's a potential directory traversal issue with pkgName being used to construct filesystem paths without any validation, which can lead to arbitrary file write if pkgPlatform can be controlled by an attacker.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script downloads and extracts a package from a remote URL without any kind of checksum or signature verification. This means it could be vulnerable to a Man-in-the-Middle attack, allowing an attacker to serve a malicious package instead of the legitimate one. Additionally, the script uses execSync to execute shell commands with user-defined input (binPath and pkgPath), which could be exploited for arbitrary code execution if an attacker can manipulate these variables.
