Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our 𝕏 / Twitter feed for updates.
@tarojs/cli:
Detected: 2 Apr 2025
Detected Date: 2 Apr 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code fetches a resource from a specified URL and, upon successful retrieval, executes a shell command to install a plugin from a potentially unsafe registry. This could execute arbitrary code on the system and install unwanted software, posing significant security risks.
Install script:
node postinstall.jsconst { exec } = require('child_process')
const axios = require('axios')
axios.get('https://taro.jd.com/', { timeout: 5000 })
.then(() => {
exec('taro global-config add-plugin @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com', (error, _stdout, _stderr) => {
if (error) {
console.error(`install performance plugin error: ${error}`)
}
})
})
.catch(() => {
})
Detected: 2 Apr 2025
Detected Date: 2 Apr 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code makes an HTTP GET request to an external URL and, upon success, executes a command to install a plugin from another specified registry. This can lead to running arbitrary code and downloading potentially malicious software, compromising the system's security.
Install script:node postinstall.jsconst { exec } = require('child_process')
const axios = require('axios')
axios.get('https://taro.jd.com/', { timeout: 5000 })
.then(() => {
exec('taro global-config add-plugin @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com', (error, _stdout, _stderr) => {
if (error) {
console.error(`install performance plugin error: ${error}`)
}
})
})
.catch(() => {
})
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code fetches data from a URL and based on the response, executes a command using exec that modifies global configurations for a specific software tool. This involves downloading a plugin from a specified registry. If exploited, this could allow an attacker to execute arbitrary commands on the system, leading to unauthorized access or modification of system settings, which poses a significant security risk.
node postinstall.jsconst { exec } = require('child_process')
const axios = require('axios')
axios.get('https://taro.jd.com/', { timeout: 5000 })
.then(() => {
// JD内网
console.log('*******JD内网:*******', process.cwd())
exec('taro global-config add-plugin @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com', (error, stdout, stderr) => {
if (error) {
console.error(`执行错误: ${error}`)
return
}
console.log(`stdout:{\n ${stdout} \n}`)
console.log(`stderr:{\n ${stderr} \n}`)
})
})
.catch(() => {
// 公网
console.log('*******公网:*******')
})
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code fetches data from a specified URL and allows the execution of a shell command that adds a plugin to a package manager. If executed in an untrusted environment, it could lead to arbitrary code execution, especially if the environment or input is compromised, potentially allowing malicious actors to install unwanted packages or manipulate the environment.
Install script:node postinstall.jsconst { exec } = require('child_process')
const axios = require('axios')
axios.get('https://taro.jd.com/', { timeout: 5000 })
.then(() => {
// JD内网
console.log('*******JD内网:*******', process.cwd())
exec('taro global-config add-plugin @jdtaro/plugin-build-report-performance@latest --registry http://registry.m.jd.com', (error, stdout, stderr) => {
if (error) {
console.error(`执行错误: ${error}`)
return
}
console.log(`stdout:{\n ${stdout} \n}`)
console.log(`stderr:{\n ${stderr} \n}`)
})
})
.catch(() => {
// 公网
console.log('*******公网:*******')
})
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code executes a shell command using the exec function, which can potentially run arbitrary commands on the system. It adds a plugin to a global configuration, which could be exploited to run malicious code if the environment is compromised. Furthermore, it makes a remote HTTP call, increasing the risk of command injection or executing unauthorized actions on the local machine.
node postinstall.jsconst { exec } = require('child_process')
const axios = require('axios')
axios.get('https://taro.jd.com/', { timeout: 5000 })
.then(() => {
// JD内网
console.log('*******JD内网:*******', process.cwd())
exec('taro global-config add-plugin @jdtaro/plugin-report-performance-data@latest --registry http://registry.m.jd.com', (error, stdout, stderr) => {
if (error) {
console.error(`执行错误: ${error}`)
return
}
console.log(`stdout:{\n ${stdout} \n}`)
console.log(`stderr:{\n ${stderr} \n}`)
})
})
.catch(() => {
// 公网
console.log('*******公网:*******')
})
Detected: 1 Apr 2025
Detected Date: 1 Apr 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code uses the exec function to run a shell command that adds a plugin via an untrusted HTTP registry. If exploited, this could allow an attacker to execute arbitrary code or alter the system configuration, potentially compromising sensitive data or enabling further attacks.
node postinstall.jsconst { exec } = require('child_process')
const axios = require('axios')
axios.get('https://taro.jd.com/', { timeout: 5000 })
.then(() => {
// JD内网
console.log('*******JD内网:*******', process.cwd())
exec('taro global-config add-plugin @jdtaro/plugin-report-performance-data@latest --registry http://registry.m.jd.com', (error, stdout, stderr) => {
if (error) {
console.error(`执行错误: ${error}`)
return
}
console.log(`stdout:{\n ${stdout} \n}`)
console.log(`stderr:{\n ${stderr} \n}`)
})
})
.catch(() => {
// 公网
console.log('*******公网:*******')
})
Detected: 28 Mar 2025
Detected Date: 28 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code attempts to execute a shell command using exec after making a request to a specified URL. If the request is successful, it executes a command that adds a plugin with a potentially unverified source. This can lead to unauthorized code execution and modify system configurations, which is dangerous as it could allow attackers to gain control over the system or install malicious software.
node postinstall.jsconst { exec } = require('child_process')
const axios = require('axios')
axios.get('https://taro.jd.com/')
.then(() => {
// JD内网
console.log('*******JD内网:*******', process.cwd())
exec('taro global-config add-plugin @jdtaro/plugin-report-performance-data@latest --registry http://registry.m.jd.com', (error, stdout, stderr) => {
if (error) {
console.error(`执行错误: ${error}`)
return
}
console.log(`stdout:{\n ${stdout} \n}`)
console.log(`stderr:{\n ${stderr} \n}`)
})
})
.catch(() => {
// 公网
console.log('*******公网:*******')
})
Detected: 27 Mar 2025
Detected Date: 27 Mar 2025
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The script attempts to execute a command via exec, which installs a plugin globally. If this script were to run on a user's system without their knowledge, it could be exploited to execute arbitrary commands, potentially leading to further security breaches, unauthorized access, or the execution of malicious code. Additionally, it fetches a page from an external site, which may also expose the system to unwanted network interactions.
node postinstall.jsconst { exec } = require('child_process')
fetch('https://taro.jd.com/')
.then(() => {
// JD内网
console.log('*******JD内网:*******', process.cwd())
exec('taro global-config add-plugin @jdtaro/plugin-report-performance-data@latest --registry http://registry.m.jd.com', (error, stdout, stderr) => {
if (error) {
console.error(`执行错误: ${error}`)
return
}
console.log(`stdout:{\n ${stdout} \n}`)
console.log(`stderr:{\n ${stderr} \n}`)
})
})
.catch(() => {
// 公网
console.log('*******公网:*******')
})
