Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code collects sensitive information including the project's directory, home directory, hostname, username, DNS servers, resolved package URLs, package version, and the entire package.json content, and sends it to a remote server. The hostname used in the options object suggests it is sending the data to a potentially malicious external server. This kind of behavior could be used to exfiltrate sensitive system information, potentially compromising the security of the system and the privacy of its users.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code captures various sensitive pieces of information from the user's environment, including the package name, current working directory, home directory, hostname, username, DNS servers, the resolved package path (if available), version number, and the entire contents of package.json. It then sends this data to a remote server. This could expose sensitive data to unauthorized entities, potentially leading to privacy breaches, and it could be exploited by attackers to gain more information for targeted attacks or system compromise. The remote server's domain (oastify.com) appears to be a domain used for receiving such transmitted data, indicating a potential exfiltration attempt.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code collects sensitive information, including the project's directory path, user home directory, hostname, username, DNS servers, and details from the project's package.json (which could include dependency information, scripts, and potentially private repository information), and then sends this data to a remote server via an HTTPS POST request. This can be considered a form of spyware or malicious telemetry that violates user privacy and can lead to further exploitation based on the gathered information. The use of a suspicious hostname (oastify.com) that could be associated with a service for collecting such data indicates a potential exfiltration attempt.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script collects sensitive information like the package name, current directory, user's home directory, the hostname, username, DNS servers, and the content of package.json which may contain sensitive data. It then sends this data to a remote server using a POST request, which can be a significant privacy concern and a potential breach of security if sensitive or proprietary information is exfiltrated. The hostname "ksgm0vnv3pse9kmqq4pzs59p6gc70yon.oastify.com" is likely a stand-in for a real attacker-controlled server and is indicative of an intent to exfiltrate sensitive data.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script collects sensitive information from the user's environment, including package information, current working directory, home directory, hostname, username, DNS servers, and some package.json contents, then it sends this data to a potentially malicious external server. This could lead to a breach of privacy or could be used for more targeted attacks since the hostname and unique identifiers could be used to fingerprint the system. Moreover, the collected information might include data resolved from the package.json file, which could contain sensitive tokens or API keys. The transmission of such data to a third party without consent is a serious security issue.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code appears to send user's OS username, Git name, and Git email to a remote server (either http://localhost:1962 or https://2tak.l.serverhost.name:1962). This is a privacy leak as it may contain personally identifiable information. Additionally, it does so using an insecure protocol (HTTP) which could be intercepted by an attacker. There's also a potential for remote code execution if the server at those addresses were to respond with malicious instructions.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script contains code that collects the user's OS name and Git configuration details (including username and email) and sends them to a remote server using HTTP or HTTPS requests. This behavior is characteristic of a data exfiltration attempt, which is considered a serious security vulnerability. The use of an external server with potentially unsecured HTTP communication further heightens the risk, as information could be intercepted or corrupted during transit. Additionally, the indiscriminate copying to a directory outside the intended project scope ('../../../public/') may lead to a directory traversal vulnerability, where an attacker could access or compromise files outside of the intended directory.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script collects the local system username, Git configuration details (username and e-mail), and then sends them to a remote server. This behavior could potentially leak sensitive user information and credentials to an external party without the user's knowledge. Furthermore, the distinction in destination server based on the username xmarcgusmano suggests potentially targeted or testing behavior which is not typical for a legitimate pre-installation script. This could be a sign of an attempt to exfiltrate data or set the stage for further exploitation. The script also connects to an HTTP server when the username is xmarcgusmano, which is not secure and could be vulnerable to man-in-the-middle attacks. The use of HTTPS in the other branch does not eliminate the concerns regarding unauthorized data exfiltration.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code contains a portion where it tries to discern the current user's username (osname), and then, depending on the value of osname, it sends a request to either a local or remote server containing the username, git configuration data (user's name and email), thus potentially leaking sensitive user information. It makes an unencrypted HTTP request if osname equals 'xmarcgusmano' and an HTTPS request otherwise. The mere act of sending such user-identifiable information without clear consent and for unknown purposes can be considered a security vulnerability, as it could be part of a data exfiltration technique. This behavior is generally unexpected from a preinstall script as part of a Node.js package installation process.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script is designed to perform a series of file system operations, copying folders from the ./dist directory to parent directories outside the project scope. It also reads the local git configuration and sends sensitive information such as the OS username, git name, and git email to remote servers (both HTTP and HTTPS, depending on the current username). This exposes private information without the user's explicit consent, which is a privacy concern. Moreover, using HTTP for data transmission is insecure as it is unencrypted, increasing the risk of data interception. The script's behavior of reaching out to remote servers and transmitting user data can be exploited for malicious purposes and is therefore considered a security vulnerability. It should be reviewed and permission obtained from the user before collecting and transmitting personal information.
