Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our š¯•¸ / Twitter feed for updates.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script appears to be a pre-installation script that not only performs local file operations, but also sends sensitive data to a remote server. The sensitive data includes the OS username, and potentially the user's Git configuration details such as their Git username and email. This can be considered a security vulnerability because it performs unauthorized exfiltration of personal information to an external server, which can then be used for malicious purposes such as phishing attacks or identity theft. The script does this by constructing a URL with these details and initiating a GET request to the server. Additionally, if the remote server is compromised or the transmission is intercepted, the userā€™s sensitive information could be exposed. There is also the potential for the remote server to instruct the script to perform further malicious actions.
Detected On: 10 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script collects the OS username and Git configuration data (name and email) of the user and then sends this information to a remote server using either HTTP or HTTPS depending on the username ('xmarcgusmano' uses HTTP, others use HTTPS). This behavior can be part of a data exfiltration mechanism, which is a security issue as it might leak sensitive user information without consent. Additionally, the use of HTTP for transmitting this data is insecure as it is unencryptedā€”it should always be sent over HTTPS to prevent interception. The code also performs various file operations that seem associated with a setup process, but the data transmission part is potentially harmful.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code transmits the operating system username, Git configuration information including user's name and email, to a remote server which can be a significant privacy concern and could be used for malicious purposes. There's a conditional check where if the username is 'xmarcgusmano', it uses an HTTP connection to localhost which could be an attempt to exploit a service running on the developer's machine. Otherwise, it sends the information to a remote HTTPS server. This behavior can be exploited to steal personal information or to perform further attacks.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script contains code that sends local user and system information (OS name, Git username, Git email) to a remote server without the user's explicit consent or knowledge. This behavior could be exploited to collect sensitive data from users which might be further used for malicious purposes such as identity theft or phishing attacks. The URLs used in the script (http://localhost:1962 and https://2tak.l.serverhost.name:1962) are indicative of data exfiltration to a possibly untrusted or compromised server. Additionally, the script uses both HTTP and HTTPS, with the HTTP connection lacking encryption, thus potentially exposing data to interception during transit.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code includes a function that sends the OS username, Git name, and Git email to a remote server, which is a privacy concern as it is transmitting potentially sensitive information without the user's explicit consent. Additionally, this behavior is likely not expected from a preinstall script and might be used for malicious purposes. The usage of both HTTP and HTTPS protocols depending on the condition without proper security checks can also expose the data in transit to interception or manipulation.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script reads and sends potentially sensitive information from the local git configuration file to an external server. The information includes the operating system username, Git name, and Git email which could be used for targeted phishing attacks or to identify contributors for more malicious purposes. Furthermore, connecting to external servers without explicit user consent is a dangerous practice that can be exploited to send or retrieve malicious payloads, leading to further system compromise.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script is capable of transmitting sensitive user information such as Git user name and email, as well as the username of the operating system to a remote server which could be a data exfiltration attempt. It uses http.get/https.get to send data to an external server which is a typical pattern for sending stolen data to a command and control server. This is potentially dangerous as it can leak sensitive information without the user's consent.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script sends local user information (OS username, Git config name, and email) to a remote server, which could be used for malicious purposes such as phishing or unauthorized access. The use of HTTP and HTTPS requests to send sensitive data to an external endpoint is a potential security vulnerability, as this data could be intercepted or misused by an attacker.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script performs potentially dangerous operations as follows:
It gathers the operating system username and Git user information from the local system.
It forms a URL with the gathered information, which includes the local username and Git configuration details.
It sends a GET request to a remote server with this sensitive information as part of the URL query parameters.
This is dangerous because it exfiltrates potentially sensitive user information to a remote server without the user's explicit consent, which can be used for malicious purposes. This kind of behavior is typical of spyware or data exfiltration malware. Additionally, the use of both HTTP and HTTPS to communicate with the server is insecure, particularly with HTTP, as it sends data unencrypted.
Detected On: 9 Nov 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script uses HTTP and HTTPS requests to send the user's OS username, Git name, and Git email to a remote server. This is a data exfiltration vulnerability; sensitive information (PII) is being transmitted without consent or encryption (in the case of the HTTP request). The script also alters file system content without clear user consent, which could lead to a potential privilege escalation if combined with other exploits.
