Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code collects system information (username, git config data) and sends it to a remote server. This could be used for profiling, tracking and potentially phishing or more direct attacks if the server is malign. It uses the system's network capabilities to send an HTTP or HTTPS request with osname, gitname, and gitemail as parameters, which can leak sensitive information about the user and the system's configuration. This is a privacy and security concern, especially since the intent and use of the collected data are not disclosed or consented to by the user.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code collects sensitive information about the system it is running on, including the package name, directory name (__dirname), home directory path, hostname, username of the current user, DNS servers, possible private package repository resolution information, package version, and entire contents of packageJSON. It then sends this data to a remote server via an HTTPS POST request. The server address ksgm0vnv3pse9kmqq4pzs59p6gc70yon.oastify.com appears to be a domain designed to collect and potentially exploit this information. This behavior is commonly associated with backdoor or telemetry scripts that violate user privacy or system security.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script sends sensitive information such as the OS username, Git user name, and Git email to an external server without explicit consent, which could be a privacy breach, considering this data can identify and be misused by malicious parties. It is performing these actions in the background under the guise of a preinstall script, which users might not expect to perform network requests and transmit personal data.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The provided script reads the username, system-related information (from os.userInfo()), and the local Git configuration (from ~/.gitconfig) and then sends this information to an external server without the user's consent, which is a security and privacy violation as it leaks sensitive data. The external server is chosen based on the username, opening potential avenues for targeted attacks. This could be considered as a form of data exfiltration. Additionally, the script leverages network requests to potentially untrusted servers, which might be used to download and execute further malicious payloads, thus posing a risk of remote code execution or introducing additional vulnerabilities.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code is collecting the operating system username, Git name, and Git email from the local user's system and sending it to a remote server without consent, which is a violation of privacy. It uses http and https modules to send a GET request to a URL with query parameters containing the sensitive information. This behavior can be exploited to perform further malicious activities such as phishing or identity theft.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code collects the current user's operating system username, Git configuration data (including user name and email) possibly from gitconfig file, then constructs a URL with this information and sends a GET request to a remote server. This behavior is indicative of a data exfiltration attempt, which is a security concern as sensitive information could be sent to an attacker-controlled server without the user's knowledge or consent. Additionally, the script uses both HTTP and HTTPS protocols depending on a conditional username check, with the HTTP request lacking proper encryption, hence susceptible to interception.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script sends local user information to a remote server which is a privacy and security concern.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script performs several potentially dangerous actions. It gathers the username of the operating system, retrieves .gitconfig with user's name and email, and then sends this information to external servers, which could be used for malicious purposes. The external endpoints are hardcoded, which could be used for data exfiltration or as part of a command and control setup. It does not verify the external server's identity, opening up the risk of man-in-the-middle attacks. The use of both http and https for data transfer can expose information where encryption is not used (http). Additionally, the script has operations to copy folders without obvious user consent, which could potentially alter system files or introduce malicious files.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script retrieves the username, git configuration (name and email), and sends this data to a remote server, which is a privacy concern. It uses HTTP and HTTPS to connect to two different servers based on a condition, which might be used to bypass security measures. This could potentially leak sensitive user information. Moreover, it's insecure to make HTTP requests as they are not encrypted, potentially exposing user data to interception. There's scope for misuse if the remote server is controlled by a malicious actor, as it's not a good practice to send potentially sensitive information like git configuration details over the Internet without a clear, secure, and legitimate purpose.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script collects the current user's OS username, Git configuration information (name and email), and then sends it to an external server. This behavior can lead to sensitive information being exfiltrated from a user's machine without their knowledge, posing a security risk.
