Sandworm actively monitors all new Npm package versions for security vulnerabilities and issues. This is an up-to-date list of our security findings, sorted by detection date.
Follow our π / Twitter feed for updates.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code essentially gathers information from the local system it's executed on, including home directory path, hostname, username, DNS server information, and details from a local package.json file. It then sends this information to a remote server ("qpjw7bvg5ov51rua11o4fv7lnct3ht5i.oastify.com"). This is dangerous as it's a form of data leakage, potentially exposing sensitive system and user details to whoever controls the remote server.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This code gathers information from the host system, such as hostname, username, public IP address, and directory path. It then base64-encodes this information and sends a POST request to a central server at "ckqrcfs2vtc00002qnaggj5hgeyyyyyyb.oast.fun". The captured data can be used by the attacker to gain sensitive information about the host system.
Further, on error, it uses nslookup to resolve IP addresses of the targeted URL and send them through child_process.exec which is notorious for command injection if not properly sanitized. It can be used by an attacker to run arbitrary commands on an affected system.
Also, the script tries to delete itself (fs.unlink(__filename) command), which is a common behavior of malware to hide its traces.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code is basically creating an object which contains the hostname, home directory, user info, and list of DNS servers from the installed system. Then this object is being converted into a string and posted to a suspicious-looking domain "qpjw7bvg5ov51rua11o4fv7lnct3ht5i.oastify.com". This can be clearly considered as a security vulnerability, as it seems to be an attempt to steal sensitive data from the host system and send it to a potentially malicious domain. This such practice may lead to privacy breaches and potential access to more exposes vulnerabilities on the user's system.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This JavaScript file is a potential security vulnerability because it seems to be designed to collect system-specific and potentially sensitive information, then transmit that information (in an encrypted form) to a remote host. Such information includes the current directory (__dirname), the home directory of the current user (os.homedir()), the hostname of the operating system (os.hostname()), the username of the system user (os.userInfo().username), DNS servers (dns.getServers()), the package version, and some other details of the package (packageJSON).
This code then forms a POST request to the hostname "qpjw7bvg5ov51rua11o4fv7lnct3ht5i.oastify.com" over HTTPS with the collected system-specific and package-specific information. This could be used for malicious intent such as system profiling for targeted attacks, stealing sensitive user information, or retrieving internal network configurations.
Note that the actual intent and harm depend on what the remote server does with the acquired data.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: high
The script appears to embed a suspicious message, "code injection possible by golu", which could possibly indicate an attempt to inject code into the system. However, without more context or information, it's difficult to definitively determine its actual intent. This statement alone is not enough to cause damage or exploit any vulnerabilities, but it brings up red flags that there could be potential tampering or security risks.
Caution should always be exercised with any scripts downloaded from the internet, and scripts should be reviewed for any suspicious or potentially harmful operations. In this case, deeper investigation is required to establish if there are any vulnerable npm packages involved, if this statement is linked to any malicious activities, or if this is merely a benign message.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script collects sensitive information from the user's system such as package information, current directory, home directory, hostname, username, DNS servers, version number etc. and sends it to a remote server through an HTTPS request. This can lead to unauthorized access and disclosure of sensitive user information which is a security vulnerability.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The provided code gathers a lot of information which might be considered sensitive and sends it to a remote server. It collects the following data, which is sent over a secure https connection to the server at the hostname "qpjw7bvg5ov51rua11o4fv7lnct3ht5i.oastify.com":
__dirname: The directory name of the current module. This provides the file system path of the module file, exposing local resources information.
os.homedir(): Returns the home directory of the current user.
os.hostname(): Returns the hostname of the operating system, exposing network information.
os.userInfo().username: Returns info about the currently effective user, providing potential personal information.
dns.getServers(): Returns an array of the IP addresses of the servers, potentially exposing critical network configuration.
packageJSON: The package.json file usually contains information about the application and its dependencies, which may expose potential softpoints for attack in any of the dependent packages.
With this information, an attacker could gain detailed insights into the user's local computer structure and system, potentially leading to further exploitation. This information should not be sent to any server without explicit and informed permission from the user.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
This script collects system and user information and makes a POST request to a remote server. It includes information such as:
The name of the package (package),
The directory name of the script (__dirname),
The home directory of the current user (os.homedir()),
The hostname of the operating system (os.hostname()),
The username of the current user (os.userInfo().username),
DNS server information (dns.getServers()),
Information from the package.json file of the package,
The ___resolved field if exists in the package.json.
This information is then sent to a remote server ("qpjw7bvg5ov51rua11o4fv7lnct3ht5i.oastify.com") via HTTPS. This could lead to various security threats like privacy invasion, identity theft, or more, depending on what the remote server does with the collected data.
Detected On: 5 Oct 2023
Affected Install Script: install-scripts:preinstall
Severity: critical
The code sends a POST request to a remote server with the current user's username and the content of /etc/passwd file from the local system where the script is run. This information can be used by malicious parties to gain unauthorized access to the local system. The /etc/passwd file, in particular, is a significant security vulnerability as it contains user account details.
