Skip to content

Add malicious npm package testudo-pack#1357

Open
tolgaergin wants to merge 1 commit into
ossf:mainfrom
tolgaergin:codex/add-testudo-pack-malware
Open

Add malicious npm package testudo-pack#1357
tolgaergin wants to merge 1 commit into
ossf:mainfrom
tolgaergin:codex/add-testudo-pack-malware

Conversation

@tolgaergin

Copy link
Copy Markdown

Adds a malicious-package OSV report for testudo-pack@1.0.0.

Source report: https://firewall.lpm.dev/npm/testudo-pack/v/1.0.0

Evidence summary:

  • package.json sets index.js as the package main entrypoint and defines postinstall: node index.js.
  • Direct source inspection shows index.js does not call the payload at top level during postinstall; the malicious behavior is triggered when user or dependent code calls exported pack().
  • pack() calls _fetch(), which resolves an obfuscated sloth-antagonist.vercel.app host and OS-specific payload path.
  • _fetch() downloads a remote binary into a WinMetrics directory under %LOCALAPPDATA%/Programs on Windows or $HOME/.local/share on Linux.
  • The Linux payload is marked executable, then the downloaded binary is started detached with ignored stdio.
  • LPM Firewall classified the package as malicious/block with low false-positive risk.

Local checks:

  • jq parse check passed.
  • Lightweight local advisory checks passed.
  • The unpkg source references returned 200.
  • Could not run make validate locally because Go is not installed on this machine; GitHub Actions should run the official OpenSSF validator.

Signed-off-by: Tolga Ergin <tolgaergin@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant