Top issues
Problem
Uniform Resource Locators (URLs) are structured addresses that point to locations and assets on the internet. URLs allow software developers to build complex applications that exchange data with servers that can be hosted in multiple geographical regions. URLs can commonly be found embedded in documentation, configuration files, source code and compiled binaries. One or more embedded URLs were discovered to link to raw files hosted on GitHub. Attackers often abuse popular web services to host malicious payloads. Since code-sharing services URLs are typically allowed by security solutions, using them for payload delivery increases the odds that the malicious code will reach the user. While the presence of code-sharing service locations does not imply malicious intent, all of their uses in a software package should be documented and approved. An increasing number of software supply chain attacks in the open source space leverages the GitHub service to deliver malicious payloads.Prevalence in npm community
10 packages
found in
Top 100
52 packages
found in
Top 1k
959 packages
found in
Top 10k
183909 packages
in community
Next steps
Investigate reported detections.
If the software should not include these network references, investigate your build and release environment for software supply chain compromise.
You should delay the software release until the investigation is completed, or until the issue is risk accepted.
Consider an alternative delivery mechanism for software packages.
Problem
Operating systems allow multiple user accounts to coexist on a single computer system. Each registered user has identity information associated with their account. At the very least, user accounts consist of a user name and an optional password. In some cases, user account data may also include personally identifiable information. Extended personal information may include user's given and last name, their email and mailing address, personal photo and their telephone number. Financially motivated attackers may seek to collect personal information for purposes of selling the private data to a third-party. Malicious code that typically exhibits these behavior traits is commonly referred to as an information stealer. While the presence of code that accesses identity information does not necessarily imply malicious intent, all of its uses in a software package should be documented and approved. Accessing identity information is a very common behavior for software packages. One example of acceptable use for such functions is verifying that the active user has purchased a software license that allows them to run the application.Prevalence in npm community
2 packages
found in
Top 100
6 packages
found in
Top 1k
166 packages
found in
Top 10k
34671 packages
in community
Next steps
Investigate reported detections as indicators of software tampering.
Consult Mitre ATT&CK documentation: T1033 - System Owner/User Discovery.
Top behaviors
Contains URLs that link to raw files on GitHub.
network
Prevalence in npm community
Behavior often found in this community (Common)
10 packages
found in
Top 100
52 packages
found in
Top 1k
959 packages
found in
Top 10k
183924 packages
in community
Contains URLs that link to interesting file formats.
network
Prevalence in npm community
Behavior often found in this community (Common)
5 packages
found in
Top 100
39 packages
found in
Top 1k
518 packages
found in
Top 10k
107169 packages
in community
Executes files during installation or upon launch.
execution
Prevalence in npm community
No behavior prevalence information at this timeEnumerates current user's home directory.
search
Prevalence in npm community
Behavior often found in this community (Common)
2 packages
found in
Top 100
19 packages
found in
Top 1k
308 packages
found in
Top 10k
58408 packages
in community
Creates shortcuts during installation or upon launch.
file
Prevalence in npm community
No behavior prevalence information at this timeTop vulnerabilities
No vulnerabilities found.