Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our π / Twitter feed for updates.
@tarojs/binding:
Detected: 2 Apr 2025
Detected Date: 2 Apr 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This code attempts to build a dynamic library from source using cargo and writes the output directly to the file system based on the operating system and architecture. It can potentially allow an attacker to execute arbitrary code if they can manipulate the environment in which this script runs, possibly gaining unauthorized access to system resources or executing harmful payloads. Additionally, it does not provide any validation on the libraries being built or their origin, posing a further risk.
node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This code executes a command that builds a library from source using Cargo (a Rust package manager), which could potentially allow it to run arbitrary code on the system. It also reads and writes binary files that could be part of a dynamic library, allowing for modification or replacing of local libraries, which can be exploited to execute malicious payloads or gain unauthorized access to system resources.
Install script:node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The code attempts to build a shared library from source code using Rust and can execute system commands via execSync, which poses a risk if the input is manipulated or if an attacker can influence the environment. Additionally, it takes content from a dynamically built library and writes it to the local filesystem, which can potentially be exploited to run unauthorized code or malware.
node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The code builds a dynamic library from source using the Rust programming language and executes a command to compile it. This could allow arbitrary code execution on the local system, leading to potential exploitation if the code running this script is compromised or misused. Additionally, the script writes the compiled library directly to the filesystem, which could be harmful if it executes or interacts with other processes unexpectedly.
Install script:node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The script executes a command to build a dynamic library from source code, which could potentially be used to replace or inject malicious code. It also reads the content of the built library and writes it to a specified location, which could allow for unauthorized code execution if the library is compromised or not verified, posing a serious security risk.
Install script:node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 28 Mar 2025
Detected Date: 28 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This code includes the execution of a shell command (cargo build --release) using execSync, potentially allowing for arbitrary code execution depending on the user's environment and inputs. Additionally, it handles dynamically created shared libraries that could potentially be exploited to load malicious code. Such behavior can lead to the installation of untrusted code or manipulation of the system.
node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 28 Mar 2025
Detected Date: 28 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The code executes a system-level command to build a dynamic library (Dylib) from source using cargo, which can potentially run arbitrary code and execute system commands. This could be exploited to gain unauthorized access to system resources or execute malicious commands if an attacker can manipulate the environment variables or the execution context.
node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 27 Mar 2025
Detected Date: 27 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The script builds a shared library from source using cargo (a Rust package manager) and then loads it into the current Node.js environment. This poses a significant risk as it executes potentially arbitrary code through execSync, and it handles filesystems directly, which may be exploited to replace legitimate libraries with malicious ones. Moreover, if executed without appropriate safeguards or validation, it might lead to running untrusted code, compromising the system's security.
node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 26 Mar 2025
Detected Date: 26 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This script executes a command to build a shared library from source, which could be exploited to run arbitrary code if the source is malicious. It reads a dynamically linked library and writes it to a specific location, potentially allowing for the execution of compromised code with elevated privileges.
Install script:node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
Detected: 24 Mar 2025
Detected Date: 24 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The code compiles a library using cargo and subsequently writes it to the file system. This process could potentially allow an attacker to run arbitrary code or malicious DLLs on the user's system, especially since it operates with the privileges of the process invoking the script, which is often as a user with elevated rights. The absence of validation on the content of dynamically loaded libraries (like dylib or dll) introduces further risk of executing harmful code.
node postinstall.jsconst { execSync } = require('child_process')
const { readFileSync, writeFileSync, existsSync } = require('fs')
const { join, resolve } = require('path')
const { platform, arch } = require('os')
const { platformArchTriples } = require('@napi-rs/triples')
const PLATFORM_NAME = platform()
const ARCH_NAME = arch()
if (process.env.npm_config_build_from_source || process.env.BUILD_TARO_FROM_SOURCE) {
let libExt
let dylibName = 'taro_binding'
switch (PLATFORM_NAME) {
case 'darwin':
libExt = '.dylib'
dylibName = `lib${dylibName}`
break
case 'win32':
libExt = '.dll'
break
case 'linux':
case 'freebsd':
case 'openbsd':
case 'android':
case 'sunos':
dylibName = `lib${dylibName}`
libExt = '.so'
break
default:
throw new TypeError('Operating system not currently supported or recognized by the build script')
}
execSync('cargo build --release', {
stdio: 'inherit',
env: process.env,
})
let dylibPath = join(__dirname, 'target', 'release', `${dylibName}${libExt}`)
if (!existsSync(dylibPath)) {
dylibPath = join(resolve(__dirname, '..', '..'), 'target', 'release', `${dylibName}${libExt}`)
}
const dylibContent = readFileSync(dylibPath)
const triples = platformArchTriples[PLATFORM_NAME][ARCH_NAME]
const tripe = triples[0]
writeFileSync(join(__dirname, `taro.${tripe.platformArchABI}.node`), dylibContent)
}
