Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script uses curl to send the contents of the /etc/passwd file from the local machine to a remote server. The /etc/passwd file in Unix-like operating systems contains user account information and is often readable by any user on the system (although passwords are not stored in this file on modern systems, they are in /etc/shadow, which is typically only accessible by root). This could expose user names and other potentially sensitive information. The hostname is used to form a unique subdomain for the data exfiltration, indicating an attempt to transmit this data stealthily to an attacker-controlled server. This constitutes a security vulnerability.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script uses curl, a tool for transferring data, to send the content of '/etc/passwd' to a remote server. The hostname command is used to dynamically generate a subdomain target based on the local machine's hostname, making it a unique endpoint for data exfiltration. The domain it is sent to seems to be for a service (oastify.com) that could be used for out-of-band application security testing, but in this context, it is being abused to exfiltrate the contents of the passwd file which contains user account information. This is a serious security issue because it could leak sensitive information about user accounts on the system.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code is designed to collect sensitive information from the environment in which it's run, including the package name, current directory, home directory, hostname, username, DNS servers, and package.json content which might include custom metadata like private repository URLs (in the ___resolved field) or other sensitive data. It then sends this collected data to an external server via an HTTPS POST request. The hostname "3785fe2ei87xo3195n4i7oo8lzrsfj38.oastify.com" suggests that it might be a server set up for receiving data from potentially compromised systems (as indicated by the pattern typically found with various 'out-of-band' interaction services like Burp Collaborator, Interactsh, or Pipedream). The use of these services is common in security testing or by attackers to detect and confirm external interactions, indicating this script could be used for malicious purposes such as data exfiltration.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script uses curl to send the contents of the '/etc/passwd' file to a remote server. This file contains user account information on a Unix-like system, which can be sensitive. Transmitting this file to an external host is a major security concern as it can lead to information disclosure and potential account compromise.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script uses curl to send the contents of the '/etc/passwd' file to a remote server. The '/etc/passwd' file contains user account information, which can be sensitive. The hostname is used to compose the URL, which indicates that the data is being exfiltrated to a potentially malicious endpoint controlled by the attacker (indicated by the seemingly randomized subdomain on oastify.com, which could represent a domain used for receiving out-of-band application security test responses). This is a clear sign of an attempt to steal sensitive information.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script uses curl to send the contents of the '/etc/passwd' file to an external domain, which is very likely an exfiltration attempt. The '/etc/passwd' file contains user account information, which is considered sensitive data. This kind of data transfer could be an attempt to steal user data or conduct reconnaissance for further attacks.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code provided performs a series of actions that configure a persistent and stealthy method for collecting clipboard data and sending it to a remote server. It first creates a VBScript file that will run on system startup. This VBScript is configured to execute a batch file in the background. The batch file then executes a PowerShell script, bypassing the execution policy. This PowerShell script monitors the clipboard content, posting it every second to a remote server. Such behavior is characteristic of keyloggers or information-stealing malware and poses a significant security threat due to the potential disclosure of sensitive information copied to the clipboard.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script installs a Visual Basic Script (VBS) file to the user's Startup folder, which executes a batch file silently at every system startup. The batch file runs a PowerShell script that continuously monitors the clipboard for content and posts any text found on the clipboard to a specified URL via HTTP POST. This behavior can be used to capture and exfiltrate sensitive information, such as passwords, credit card numbers, or personal data, to a remote server without the user's knowledge. The use of -ExecutionPolicy Bypass in the batch file allows the PowerShell script to run even if the execution policy would normally prevent it, which bypasses security measures intended to block the execution of potentially harmful scripts. Additionally, installing scripts to the Startup folder ensures persistence after reboots, further compromising the system's security.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:install
Severity: moderate
This script automatically downloads and installs binaries from the internet without any sort of integrity checking or signature verification. It executes shell commands, removes directories, writes files, and renames them based on an externally defined version, which could be manipulated for malicious purposes. An attacker could potentially serve a malicious package, and this script would download and execute the content, potentially compromising the system.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script collects sensitive data like the project directory (__dirname), home directory (os.homedir()), hostname (os.hostname()), username (os.userInfo().username), DNS servers (dns.getServers()), package's resolved URL if present (___resolved), package version, and the entire contents of package.json. It then sends this data to a remote server using an HTTPS POST request. The hostname used in the script is likely to be controlled by an attacker, indicated by its structure (appears like a domain generated for receiving data covertly). The data sent can be used to perform further attacks, conduct reconnaissance, or steal sensitive information.
