Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 7 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: high
The code provided is a potential security vulnerability because it is using the exec() function from node's 'child_process' module to run an external JavaScript file ('gayy.js'). Exec() is a dangerous function as it allows the execution of any system command within Node.js, and therefore it could be potentially used for malicious purposes, such as running arbitrary code, manipulate files, or gain unauthorized access to local resources. Additionally, there is no sanitization or checking of the file being executed, meaning this could easily be exploited if 'gayy.js' contains malicious scripts or if an attacker replaces it with a harmful file.
Detected On: 7 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
The script contains a couple of potentially dangerous actions:
Running shell commands using execSync: this is declared in an android condition and is not dynamically built, however it could potentially be a point for code injection if in the future dynamics params are used.
Fetching a remote file and executing/unzipping it without verifying its authenticity or whether it's tampered with. This opens the potential for the remote server to serve malicious code, which is then executed on the user's system. It's important to include a hash check step before executing any downloaded files.
Also it's changing the permissions of the binary using fs.chmodSync making it executable and this could lead to arbitrary code execution if the downloaded binary is malicious.
Remember that security is about layers, and even if malicious intent isn't present in this script, it can present a vector for attack if any of the remote resources is compromised or if future changes to the script introduce vulnerabilities.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
The code appears to be loading scripts external to the one being currently executed, specifically 'postinstall.js' and 'localinstall.js'. This in itself is not a problem, but it could lead to security issues if these scripts contain malicious code. Furthermore, the code is executing build scripts using the execa.sync function, which could be a security risk if the scripts or the arguments passed to them are in any way influenced by user input. The use of 'require' function with a dynamic parameter (retrieved from another script) is a potential security risk, as it could allow arbitrary code execution if the path is not sanitized and is under control of an adversary. Lastly, the script ignores all exceptions with the blank catch statement, which is a bad practice because it can make it harder to understand whether a security issue was exploited in case an attack happens.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code collects sensitive information about the system like operating system details, hostname, home directory, DNS servers, the user, the package info, etc., and sends it to the specified hostname (1547exc0efa40oebi0wkyukbp2vtjl7a.oastify.com) via a HTTPS POST request. The function uses Node.js native modules to collect system and user information and gather all these details into a JSON object, convert them into a string, then sends this data to the remote server. This is a security vulnerability because an attacker could potentially use the information sent for malicious purposes such as gaining unauthorized access to the system or stealing sensitive data.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script represents a serious security vulnerability as it uses node's os, dns, and https modules to gather sensitive system and user information, such as the home directory, hostname, username, and DNS server addresses. This information is then serialized and sent via a POST request to a remote server ("dm3237djc6isiydlsednyzio0f66uwil.oastify.com"). This could potentially allow an attacker to gather sensitive information for obtaining unauthorized system access or for launching further attacks.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
This script can potentially lead to security issues as it allows the execution of arbitrary scripts (postInstallScriptPath and localInstallScriptPath) which is dangerous if untrusted or manipulated scripts are involved. It can serve as an entry point for an attacker to execute malicious JS code. The catch block is empty which means that any error that occurs during script execution is silenced, making it more difficult to debug or detect any tampering.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script does several dangerous things: Firstly, it gathers sensitive details about the system where it runs including the name, user info, home directory, host name, DNS server information and sends this information to a remote server. Next, it sends a POST request to a server with its hostname "cmfw1k62vtc00003gh5ggk86y3oyyyyyb.oast.fun". All these details are concatenated in trackingData which eventually gets sent away - this can expose a lot of sensitive data about the environment where the script is running.
The remote server could use this information for various nefarious activities such as DNS server attacks, identity thefts, etc. Furthermore, the code is written to suppress any errors that occur during the request, making it more likely to go unnoticed.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
The code above appears to have a few potential security issues that may pose a vulnerability:
It seems to dynamically execute scripts specified by file paths. This is especially dangerous if an attacker has the ability to modify these paths or the files they point to.
The script seems to be running the 'postinstall.js' and 'localinstall.js' scripts with Node.js without checking if they are safe. This makes the package vulnerable to remote code execution when a malicious script is present at one of the pointed paths.
It can lead to arbitrary command execution during the development process because an attacker may tamper with the helper's 'build.ts' file or manipulate environment variables as 'DEV'.
The catch block is empty, so it silently ignores any errors. Error messages can often provide critical information about a problem, and ignoring errors can lead to unhandled cases that could be exploited by an attacker.
Just to be confirmed safe, it would be great to analyze what the scripts 'postinstall.js', 'localinstall.js' and 'build.ts' are doing specifically to have a more detailed understanding of potential vulnerabilities.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
The provided code block is potentially dangerous due to the following reasons:
The line execa.sync('node', [localInstallScriptPath], {...}) allows the execution of another JavaScript file located at localInstallScriptPath. This could be a security risk if the script at localInstallScriptPath has been tampered with or may be tampered by an attacker.
The line require(postInstallScriptPath) is also a security risk. It is loading and executing a JavaScript file from an external source. Malicious code may be injected into this file (postInstallScriptPath).
The script has a try-catch block that is directly catching all the exceptions but does not have any error handling logic. An attacker could exploit this because it may debug difficult or obscure any signs of code injection, modification, or failure from potential security events.
Running execa.sync with stdio: 'inherit', inherits the standard io of its parent processing. This could expose sensitive data that comes to standard output/error, potentially showing system or user-specific data that could be used in other attacks.
The script does not validate or sanitize input to require function and execa.sync function, this can lead to arbitrary code execution or path traversal attack.
In summary, without strict controls, checks, and input sanitization, the code may pose security risks.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: moderate
The script destructively manipulates the package.json file by adding new scripts from an array called scripts. The script names and commands are not validated or sanitized, which can lead to arbitrary command execution if any of the scripts contains malicious code.
Moreover, the copyInstructions() function call at the bottom doesn't have any context in this script, making it unclear what will be executed during this process. If the function content is malicious or has vulnerabilities, it could potentially do harm to the system.
Additionally, the script is reading and writing to the file system using fs.readFileSync() and fs.writeFileSync(), which are potential areas of vulnerability if the data being written is untrusted or if inappropriate file permissions are granted.
