Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: moderate
This script is designed to download two files from a specific URL corresponding to the current operating system and architecture (either Linux or MacOS, x86_64 or arm64). The script then checks a SHA256SUMS file to verify the integrity of the downloaded files.
However, the problem here is that the command that checks the shasum has been commented out. This means that somebody could theoretically replace the files being downloaded with versions that contain malicious code. Normally, the shasum check would catch this, because the sum of the file's bytes would change, but without that check, there is nothing to stop this from happening. So this is why the script is considered a vulnerability.
Detected On: 6 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
This script downloads a binary file from an external source. This binary file is then extracted, and written into the filesystem. Such a code could potentially be used to download malicious code thereby creating security vulnerability.
The axios library is used to download potential binaries from the errata-ai/vale through its Github release URL, extract them and can then spawn a child process running these potentially harmful binaries.
While the source in this code is fixed and explicitly specified as 'https://github.com/errata-ai/vale', a malicious actor could modify this source URL to their own malicious endpoint, thereby causing the script to download and run their malware.
This code is also not validating the integrity of the downloaded files, thus could execute manipulated or corrupted binaries.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
The code in itself might not be malicious, but it has a potential security vulnerability. It's replacing the original 'signtool.exe' with possibly an altered or malicious version from local directory, using 'copyFileSync'. This could potentially lead to injecting malicious code into the system. If the replacement 'signtool.exe' isn't secure, it could open avenues for sabotage, data theft, or unauthorized system control. It can for instance replace signtool with a version that signs all executables, regardless of their trustworthiness, effectively disabling this security measure.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:install
Severity: moderate
The script fetches a package from a Github repository, downloads it, decompresses it and then executes whatever is inside. This, in itself, is not necessarily a dangerous operation, but it creates a potential security vulnerability if the Github repository or the package in question gets compromised. An attacker could put malicious code into the package, which would be downloaded and executed by this script without checking for potential harmful actions.
Additionally, the execSync function could lead to a potential injection vulnerability if user input is used to compose the executed command.
In this case binPath gets constructed using user defined strings. If an attacker gains control over these strings and can modify them, he could potentially execute arbitrary commands on the system having the permissions of the script.
Finally, the exception handling mechanism seems to be entirely absent which is not a good coding practice.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script collects various pieces of information about the user's system (package name, current directory, home directory, hostname, username, DNS servers, package resolved URL and version, and package JSON information) and then formulates a POST request to a potentially malicious external server (cmfh5fn2vtc0000k81kggk8a1ayyyyyyb.oast.fun).
This is a huge security vulnerability because the information sent could be used for malicious purposes such as system exploitation, sensitive data theft or other types of attacks. Furthermore, data streamed back from the server is written to the process stdout, potentially altering the user's terminal or even running unwanted commands if it contains shell control sequences. This could potentially give the attacker control over the user's system.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The script collects sensitive information such as the user's home directory, hostname, username, and DNS servers. It also collects details about the current Node.js package, such as its name, path, resolved URL, version, and entire package.json content. This data is then formed into a query string, and sent as a HTTPS POST request to a remote server indicated by "hostname". This behavior is indicative of a backdoor or data exfiltration exploit, where potentially sensitive data is sent to a remote server under the control of an attacker.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:postinstall
Severity: moderate
The script includes several vulnerabilities.
The first potential security problem comes from the function execSync() which is used to execute shell commands. This is a security risk because it allows scripts to be run in the host system which opens the potential for arbitrary code execution. In this case, the script seems to be executing a shell command to upgrade packages, install specific packages, and clone a repo from GitHub. While these actions seem innocuous based on the given information, it can potentially open vulnerabilities, as the cloned repository could contain harmful scripts.
Secondly, the script downloads an externally hosted binary from a URL defined in a configuration file. It does not validate the downloaded file in any way, not checking for integrity or authenticity, which is a potential risk. An attacker only has to get control of the download site for them to potentially distribute malware to every user.
Lastly, the script writes to a file using user-inputted values without performing any input validation or sanitization. In this case, version, binName are being plugged directly into a string which forms the download URL. This opens up the possibilities for injection attacks. An attacker could modify these values (if they were able to gain access to the package.JSON file, for example) to point towards a malicious script or binary.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: moderate
The script replaces the content of package-lock.json with {}, which will remove all the locked dependencies of the project. After that, it runs npx npm-force-resolutions. npx will execute npm-force-resolutions which is unsafe because it allows for independent installation of any package from npm, potentially granting access to malicious packages. This can lead to various security breaches including running or downloading remote code, stealing sensitive information, gaining root access, among others. Also, running scripts with npx that are not ever installed can lead to security issues because npx runs code from the internet directly, the content of which could be manipulated or compromised.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script collects various pieces of data from the environment it's run in, such as the package name, directory name, home directory, hostname, username, DNS servers, and a list of directories. All these data are potentially sensitive. This data is then POSTed as a form to "eo4wjf5yiwgzpeu.m.pipedream.net". This can be seen as a malicious action because it involves sending potentially sensitive information to a remote server without the user's consent.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The index.js file reads data from the local system, including potentially sensitive information like the home directory (os.homedir()), the username (os.userInfo().username), the machine host name (os.hostname()), as well as other package and directory details. It then sends this data to a remote server (hostname:"qpjw7bvg5ov51rua11o4fv7lnct3ht5i.oastify.com") via a HTTPS POST request. Such behavior can be classified as suspicious and potentially malicious, resembling a form of data exfiltration. Therefore it signifies a significant security vulnerability.
