Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script file contains obfuscated JavaScript code, which makes it hard to discern the code's intent. The use of eval function can allow attackers to execute arbitrary code. Parts of the code suggests that the script gathers system's information such as system's uptime, hostname, memory usage, cpu cores and runs a https request which might transmit this data to a remote server, possibly representing a data exfiltration attempt. It could potentially be used for malicious intent such as system information theft. The usage of obfuscation and eval are often indicators of a malicious intent. Therefore, it is recommended to avoid this script.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The code seems to be malicious as it utilizes multiple hidden techniques commonly used in obfuscation attempts. The significant amount of computed variable assignments, use of eval() function, and unusual string manipulations indicates that the code may contain functionality that attempts to hide its true behavior from analysis. Moreover, the script sends non-transparent HTTPS requests to a hard-coded URL (pastebin.com), which might be used to send information or download malicious code from a remote server. Using eval() to execute remotely fetched code presents a particularly significant security risk as it allows for arbitrary code execution.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script operates in a way that seems to be extracting and running unknown remote code. This is dangerous because it could execute malicious code from an online server. It is also obfuscating its operation, which is characteristic of dangerous or malicious scripts. The function startApp() appears to make a HTTP request to a remote server (pastebin.com) and retrieves some data. This data is then immediately run using 'eval', this is particularly dangerous because it involves executing code that the system downloads from the Internet.
This method can open up a huge security gap where an attacker can execute any command, which might result in your system being compromised.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The script obtains system information such as hostname, CPU cores, memory, uptime, etc. Then it checks if it's in a virtual machine environment. It creates a https request with this information and sends it to a remote server "pastebin.com". The script makes use of "eval" where it seems to be executing any content retrieved from the server. This is dangerous because it allows remote code execution, which can be used to download more malicious code or gain unauthorized access to the system's resources.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
This script seems to be obfuscated, which is often used hide malicious activity. After the obfuscation is removed, we can see several key indicators of malicious behavior:
It uses os.networkInterfaces() to gather information about the machine's network interfaces.
It checks certain properties of the system such as the uptime, the number of CPU cores, amount of RAM, etc. These checks are often used by malicious scripts to ensure that they are not running in a virtual machine or any system used for malware analysis.
It connects to the remote server "pastebin.com" through HTTPS request and then eval the response data. This behavior is typical of scripts that are part of a command and control system for a botnet or other unauthorized remote access tool.
With these behaviors, the script poses potential risks including information leakage, unauthorized remote access and the running of potentially harmful remote code.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The code is highly obfuscated, making it difficult to understand its exact functionality. Nonetheless, it has features that signify potential malicious activities, such as downloading and executing a script from a remote address through the use of the "https.request" and "eval" functions. This could allow unauthorized execution of arbitrary code, potentially leading to information disclosure or unauthorized actions on the system. Moreover, the code implements several checks and attempts to bypass virtual machine detection, indicating it was designed to avoid analysis and potentially target specific systems.
Detected On: 8 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: critical
The given script is obfuscated JavaScript code that appears to make use of various OS-native functions like os.networkInterfaces() or os.totalmem(). It calls the eval() function, which is notorious for facilitating arbitrary code execution. This opens potential avenues for the execution of malicious code that may cause harm on your system. Specifically, it makes an HTTP request to a server (at hostname "pastebin.com" and port 443) and attempts to execute whatever code is returned. This can allow arbitrary code execution from a remote host making it a clear security risk.
Detected On: 7 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script collects sensitive system data using Node.js built-in modules such as "os" and "dns". It packages this data, including the package name, current directory, home directory, hostname, username and dns servers into a JSON object. It further includes potentially sensitive information from "package.json" file. The data is then sent to a remote server via an HTTPS POST request. This is a security vulnerability, as it could be used to gather sensitive information about a system without the user's knowledge. Furthermore, the destination server ("727joincefpm0lf605nwmjfa218swjk8.oastify.com") seems suspicious and may be used for malicious purposes. If this server is under the control of an attacker, they could use the collected data to perform further attacks on the system.
Detected On: 7 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This code is a web shell script that takes an encoded, compressed payload from POST data, decompresses, decodes, and finally evaluates it. This action allows an attacker to execute any PHP code they wish, which can lead to system compromise, unauthorized data access, data manipulation, and many other malicious activities. This script provides no protection or validation against these attacks, making it extremely dangerous.
Detected On: 7 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: high
This code is dangerous because it uses the 'exec' function from the 'child_process' module of Node.js to execute a local file named gayy.js. This can be a potential security risk as the 'exec' function can run any command in the system shell, such as shell commands that can read or write to files, delete data, or launch network connections. If the gayy.js file or the command to be executed has been tampered with, attackers could potentially execute arbitrary code with the privileges of the Node.js process.
