Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The downloaded package is being directly extracted and run without any checksum or signature verification, which can lead to remote code execution if the download source is compromised or spoofed (via a Man-in-the-Middle attack, for example). The fetch call to download the binary package does not ensure the authenticity or integrity of the package, which can be dangerous if an attacker intercepts the HTTP request or if the package has been replaced with a malicious one on the server. Additionally, since the code is using execSync to run shell commands, if there are any flaws in the handling of user input or the URLs, it could lead to command injection vulnerabilities.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script downloads a compiled binary from the internet based on the version information provided and extracts it to a local directory. The vulnerability lies in the fact that it blindly trusts the downloaded binary without any form of verification (like checking a checksum or a digital signature) to ensure its integrity. If an attacker were to compromise the download source or perform a man-in-the-middle attack, they could provide a malicious binary. That would result in arbitrary code execution on the local machine with the privileges of the user running this script.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script fetches a binary from a fixed URL based on the version from 'forcVersion', and executes it to check its version. This is dangerous for several reasons:
Executing code fetched from the internet can lead to remote code execution if the URL is compromised or if the fetched code is malicious.
There's no checksum or signature verification, meaning the integrity of the downloaded file isn't confirmed, increasing the risk of a supply chain attack.
Arbitrary command execution with execSync that takes user input or data from the internet could lead to command injection vulnerabilities if inputs aren't properly sanitized.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script contains a variety of security risks due to both intentional actions and poor security practices. It downloads and executes a binary from an external source without proper validation, allows for command injection via template literals, and uses dangerous shell commands:
The script downloads a binary from a fixed URL constructed using the version information and platform name, which could be manipulated or spoofed to download malicious binaries.
Using execSync to remove directories based on unsanitized input allows any command to be executed if the variables contain command operators.
Placing user input directly in a file path without sanitization can lead to a directory traversal attack or allow an attacker to overwrite critical system files.
The use of renameSync can inadvertently move unauthorized or malicious files into sensitive directories.
These practices can lead to arbitrary code execution, file system manipulation, and potentially giving an attacker control over the host system.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The install.js script downloads and installs a binary from a hardcoded URL, which may not be inherently dangerous, but it does not verify the integrity of the downloaded file, leaving an opening for a Man-In-The-Middle (MITM) attack where the URL could be hijacked or the file at the source could be replaced with a malicious version. Additionally, the use of execSync() to run shell commands with the content of variables (such as execSync('rm -rf ${binDir}/*') and execSync('tar xzf "${pkgPath}" -C "${rootDir}"')) could potentially be exploited if an attacker controls the input, leading to arbitrary code execution. There is no validation that the downloaded file is actually the file intended or that it has not been tampered with, which presents a risk of running malicious code.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script contains multiple security vulnerabilities. It uses execSync() to execute system commands, which can lead to command injection attacks if any input used in these commands is not properly sanitized or comes from an untrusted source. Moreover, it downloads and executes a binary from the internet without any form of verification (e.g., checksums, digital signatures), leaving it open to malicious code execution if an attacker were to compromise the download source or perform a man-in-the-middle attack. Additionally, the use of rm -rf with variables (e.g., ${binDir}/*) may lead to unintentional deletion of files or directories if those variables are not properly controlled.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script downloads and executes a binary from the internet without any form of integrity checking or cryptographic signature verification. It leverages execSync to run shell commands that could be influenced by the content of the downloaded package (if tampered with) and writes files to the filesystem with potentially elevated privileges or modifies existing binaries. This could lead to arbitrary code execution if the package source is compromised or if an attacker intercepts the download (Man-in-the-Middle attack).
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script seems to be dangerous because it recursively deletes directories that might be crucial for the system without authorization, moves and links files which could disrupt normal operations, and executes commands that could be used to prepare the system for further malicious actions. The suppression of all output (&>/dev/null) is often used in scripts to hide their activities. Additionally, the script uses command substitution without proper validation or sanitization, which could be abused for code injection if the environment variables are compromised or the domotz_npm command is malicious. Overall, it exhibits behavior that could be used to harm the system or prepare it for further exploitation.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script checks disk space and may delete directories within the npm temporary folder. While disk space check and cleanup are not inherently malicious, the arbitrary deletion of directories could be exploited in a way that could interfere with or sabotage other npm operations, potentially leading to unintended consequences or the removal of important files if the npm temporary directory is used by other processes or workflows. Additionally, the script suppresses all output and errors (with &>/dev/null), which is a tactic often used by malicious scripts to hide their activity. However, since the deletion is constrained to older directories (+10 minutes) and only within the npm temp folder, it might be intended for cleanup purposes, but it can still be risky and may inadvertently remove important files that happen to be within this directory and more than 10 minutes old.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script uses curl to send the contents of the '/etc/passwd' file to a remote server. The $(hostname) part dynamically gets the hostname of the system and constructs a URL with it, which is a domain that likely belongs to an attacker. This can leak user information stored in '/etc/passwd', which is a sensitive file containing user account information. The URL suggests the use of a domain generating algorithm or a subdomain for exfiltration, typically used in command and control infrastructure (C2) or for data exfiltration in a security breach. This is a serious security vulnerability as it could lead to information disclosure and potentially be part of a larger attack.
