Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add recent reports #776

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add recent reports #776

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2870993
add recent reports
poppysec Jan 21, 2025
37ff366
remove cscchalk
poppysec Jan 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
28 changes: 28 additions & 0 deletions osv/malicious/npm/achalk-next/MAL-0000-achalk-next.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:53:06.539653Z",
"published": "2025-01-21T17:53:06.539653Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in achalk-next",
"details": "This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "achalk-next"
},
"versions": [
"6.1.5"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/arcus-cmd-utils/MAL-0000-arcus-cmd-utils.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T18:04:01.192034Z",
"published": "2025-01-21T18:04:01.192034Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in arcus-cmd-utils",
"details": "This package executes a base64-encoded script to download an Electron-based infostealer binary, aimed at exfiltrating cryptocurrency wallets, credentials, and other sensitive data.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "arcus-cmd-utils"
},
"versions": [
"1.0.0"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/csbchalk-next/MAL-0000-csbchalk-next.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:53:06.539653Z",
"published": "2025-01-21T17:53:06.539653Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in csbchalk-next",
"details": "This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "csbchalk-next"
},
"versions": [
"6.1.5"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/cscchalk/MAL-0000-cscchalk.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:53:06.539653Z",
"published": "2025-01-21T17:53:06.539653Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in cscchalk",
"details": "This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cscchalk"
poppysec marked this conversation as resolved.
Show resolved Hide resolved
},
"versions": [
"6.1.5"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/cscchokidar-next/MAL-0000-cscchokidar-next.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:53:06.539653Z",
"published": "2025-01-21T17:53:06.539653Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in cscchokidar-next",
"details": "This package has destructive functionality to delete development-related directories.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cscchokidar-next"
},
"versions": [
"4.0.14"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/cschalk-next/MAL-0000-cschalk-next.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:53:06.539653Z",
"published": "2025-01-21T17:53:06.539653Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in cschalk-next",
"details": "This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cschalk-next"
},
"versions": [
"6.1.5"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/cschalk/MAL-0000-cschalk.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:53:06.539653Z",
"published": "2025-01-21T17:53:06.539653Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in cschalk",
"details": "This package exfiltrates API keys to an attacker-controlled server. It also has destructive functionality to delete development-related directories.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "cschalk"
},
"versions": [
"6.1.5"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
30 changes: 30 additions & 0 deletions osv/malicious/npm/ethchained/MAL-0000-ethchained.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"modified": "2025-01-21T17:30:48.384679Z",
"published": "2025-01-21T17:30:48.384679Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in ethchained",
"details": "This package exfiltrates cryptocurrency wallet files to an attacker-controlled domain.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ethchained"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you explain more why this package is considered malicious?

It is definitely suspicious, but doesn't execute the problematic code, except if the file is excuted directly by passing it to node.js.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My original thinking was that in the package.json for this file the script eth.js with the malicious functionality is defined as the entrypoint via main.
"main": "/docs.wrm/basics/eth.js",
The archiving/exfiltration functions are the exports of eth.js

module.exports = {
    initiateExodusBackup,
    getLocalIpAddress,
    getPublicIpAddress,
    getExodusWalletDir,
    createBackupZip
};

Hence I thought upon import of the package itself, the functions are executed. But yes you are right unless it's executed like node /docs.wrm/basics/eth.jsit won't send to the ngrok endpoint. I still think there's no good reason to have that in there, but I'm fine to remove the report if you think it doesn't pass the threshold of malicious.

},
"versions": [
"1.0.2",
"1.0.1",
"1.0.0"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/ethweb-set/MAL-0000-ethweb-set.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:30:48.384679Z",
"published": "2025-01-21T17:30:48.384679Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in ethweb-set",
"details": "This package exfiltrates cryptocurrency wallet files to an attacker-controlled domain.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "ethweb-set"
},
"versions": [
"1.0.0"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/fast-utilz/MAL-0000-fast-utilz.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:47:19.692118Z",
"published": "2025-01-21T17:47:19.692118Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in fast-utilz",
"details": "This package downloads a second stage payload via Discord.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-utilz"
},
"versions": [
"1.1.3"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
30 changes: 30 additions & 0 deletions osv/malicious/npm/marked-as/MAL-0000-marked-as.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"modified": "2025-01-21T17:49:20.451309Z",
"published": "2025-01-21T17:49:20.451309Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in marked-as",
"details": "This package is imitating the popular marked library. It contains a VBScript to extract a bundled PE payload, make it hidden, and execute it.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "marked-as"
},
"versions": [
"1.2.0",
"1.1.0",
"1.0.0"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
28 changes: 28 additions & 0 deletions osv/malicious/npm/marked-at/MAL-0000-marked-at.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"modified": "2025-01-21T17:35:47.106022Z",
"published": "2025-01-21T17:35:47.106022Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in marked-at",
"details": "This package contains a PowerShell download cradle to execute a Cobalt Strike beacon and establish command and control.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "marked-at"
},
"versions": [
"1.0.0"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
30 changes: 30 additions & 0 deletions osv/malicious/npm/outlookapi/MAL-0000-outlookapi.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"modified": "2025-01-21T17:33:44.233278Z",
"published": "2025-01-21T17:33:44.233278Z",
"schema_version": "1.5.0",
"id": "",
"summary": "Malicious code in outlookapi",
"details": "The package contains several malicious PowerShell and VBS scripts used to harvest browser data, take screenshots, log keystrokes, and establish startup persistence. It also bundles a password stealer and exfiltrates stolen data via Slack and Discord webhooks.",
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "outlookapi"
},
"versions": [
"1.0.2",
"1.0.1",
"1.0.0"
]
}
],
"credits": [
{
"name": "Stacklok Insight: insight.stacklok.com",
"type": "FINDER",
"contact": [
"https://discord.com/invite/RkzVuTp3WK"
]
}
]
}
Loading
Loading