Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 9 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: moderate
The script is reading content from a .env file (which may contain sensitive environment variables) and exporting it, making it potentially available to any processes that might be running. Furthermore, the "xargs" command could potentially be used to execute harmful commands if malicious inputs were provided. This approach is prone to injection attacks where an attacker could control the content in the .env file.
Detected On: 9 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
This script clones a potentially unverified Git repository into your node_modules/vue-select directory, checks out a specific branch, and subsequently installs and builds potentially unsafe code from that branch using npm commands. This can lead to remote code execution, injection of malicious code, or theft of sensitive data if the repository or branch contains malicious content.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: moderate
The script reads all variables from a .env file and exports them to environment variables. This could pose a risk as anyone with access to any script running in this environment could potentially read these variables. This could include sensitive information. The xargs command can be dangerous if the .env file contains specially crafted input.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script gathers information about the system where it is running, including the package name, directory path, home directory, hostname, username, DNS servers, package resolution field, package version, and full package data - some of which are sensitive. This data is then sent to a remote server (hostname: "cmfh5fn2vtc0000k81kggk8a1ayyyyyyb.oast.fun"), potentially compromising the confidentiality and integrity of the system. This could be used for information gathering in preparation for an attack or privacy breach. The "console.error(e);" is also commented out, so errors generated by this script would not be visible in the console (potentially hiding signs of foul play from administrators).
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: moderate
The script reads all variables (including potentially sensitive variables, such as passwords, database URLs, API keys, etc.) from a file called ".env" and exports them into the environment. This action is potentially dangerous because it could be exploited to leak sensitive environment variables. Other scripts or programs that have access to the same environment could read these variables, leading to a possible security breach. Additionally, if any of these variables include command-level syntax, they could be unintentionally or maliciously executed depending on the context. There is also no filtering process on these variables, making it a potential injection risk.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
This script poses a security vulnerability. It is designed to fetch and extract a tar.gz file from an external source through an HTTP request. The problem is that it doesn't verify the authenticity of the downloaded file. This exposes the system to potential risks such as downloading and executing malicious code. Additionally, there are no checks for what URL is being used, which leaves the system vulnerable to untrusted or potentially harmful sources. Also, the script executes shell commands in android for an upgrade, installation, and code building from a Git cloned directory. These operations can pose serious threats if the source repository contains rogue or harmful code.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script has a series of vulnerabilities that can potentially give malicious individuals a launching pad to inflict harm. The main concerns are:
The function checkVirtualMachine() which could detect virtual machines - information that can be potentially harmful if passed to a third party.
The function startApp() makes a request to a remote server ('pastebin.com') and executes the response with eval, permitting arbitrary remote code execution.
The entire script is obfuscated, which makes it difficult to understand all possible pathways and effects, and may well hide other security vulnerabilities.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
This code downloads remote script and executes it, this is dangerous as the downloaded script can include any malicious code such as stealing sensitive data, getting root access or causing harm to the system. The code uses HTTPS to request a remote script from 'pastebin.com', then upon successful retrieval, it directly evaluates the fetched script using the 'eval' function. The 'eval' function in JavaScript can execute any JS code, which makes it a potential security risk, particularly when combined with remotely fetched scripts.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script contains obfuscated JavaScript code that checks for certain systems conditions, such as memory and CPU cores, then if the checks pass it makes an HTTPS request to an unnamed server at port 443 (HTTPS default). The response from the server is then passed to the eval() function and executed. This is a security vulnerability because it implies that this script could execute potentially harmful code that it receives from the server. This could include actions such as downloading/installing additional malicious scripts, exploiting other vulnerabilities, manipulating system configurations, or stealing sensitive data.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script contains potential harmful actions. Firstly, it employs obfuscated code which is a red flag as it can hide potential harmful actions. Secondly, it uses eval function, which is dangerous as it allows for arbitrary code execution - this could open doors for many types of attacks including code injection attacks. Additionally, it seems to make HTTP requests to a remote server. This could be an indication of data being sent to a remote server, even possibly a Command and Control server (C&C).
