漏洞描述
当用户安装受影响版本的 @blocks-shared/atom-panel 等NPM组件包时会窃取用户的主机名、用户名、工作目录、IP地址等信息并发送到攻击者可控的服务器地址。
| MPS编号 | MPS-8htd-4bis |
|---|---|
| 处置建议 | 强烈建议修复 |
| 发现时间 | 2025-07-11 |
| 投毒仓库 | npm |
| 投毒类型 | 主机信息收集 |
| 利用成本 | 低 |
| 利用可能性 | 中 |
影响范围
| 影响组件 | 受影响的版本 | 最小修复版本 |
|---|---|---|
| nbastatsleftnav | [1.0.0, 99.0.1] | – |
| ltiditest | [11.11.1, 11.11.3] | – |
| cooegamess | [1.1.27, 1.1.27] | – |
| xurbansimsx | [1.4.2, 1.4.2] | – |
| newslot2025 | [1.1.1, 1.1.4] | – |
| casino2025 | [1.1.20, 1.1.20] | – |
| winbox88casino | [1.3.9, 1.3.9] | – |
| slot-server-thailand | [1.0.0, 1.0.21] | – |
| top4smm | [1.1.37, 1.1.38] | – |
| adaptivecards-extras | [0.0.1, 99.99.99] | – |
| comment-on-task-github-action | [1.0.0, 1.0.0] | – |
| pkgsite | [1.0.0, 1.0.0] | – |
| diuwin | [1.1.36, 1.1.36] | – |
| winbox88mys2025 | [3.4.5, 3.4.5] | – |
| tastegarden | [3.4.10, 3.4.10] | – |
| kk8myr | [1.2.3, 1.2.3] | – |
| rxcegame | [1.1.28, 1.1.28] | – |
| 12jeet2025 | [1.1.19, 1.1.19] | – |
| winboxmy | [1.2.8, 1.2.8] | – |
| abseits_soccer | [1.1.0, 1.1.0] | – |
| sample-nuxtjs | [1.0.0, 1.0.0] | – |
| 202512jeet | [1.1.18, 1.1.18] | – |
| @platform-clientextensions/rum-web | [999.999.999, 999.999.1003] | – |
| tyrtle | [1.0.0, 1.0.0] | – |
| okwinclubb | [1.1.30, 1.1.30] | – |
| @shadowmonarchx/eslint_plugin_react | [7.29.5, 7.29.6] | – |
| wb888 | [3.4.6, 3.4.6] | – |
| raekwonchronicles_2025 | [1.1.0, 1.1.0] | – |
| winboxcasino2025 | [1.2.7, 1.2.7] | – |
| colorwizgamess | [1.1.29, 1.1.31] | – |
| @stride-mfe/wmc | [99.9.1, 99.9.1] | – |
| os-apps-ui-traffic-manager | [99.0.0, 99.0.0] | – |
| winbox88info | [3.4.8, 3.4.8] | – |
| winbox88my3 | [1.2.7, 1.2.7] | – |
| kenmcmil | [1.1.0, 1.1.0] | – |
| rougemagz2025 | [1.1.4, 1.1.4] | – |
| mantrimall_app | [1.1.26, 1.1.26] | – |
| ltiditest2 | [99.9.1, 99.9.2] | – |
| winbox2025 | [1.2.6, 1.2.6] | – |
| abseits_soccer-888 | [1.1.0, 1.1.0] | – |
| dep-confusion-poc-monke | [1.1.1, 1.1.1] | – |
| kenmcmil-slot | [1.1.0, 1.1.0] | – |
| winbox88mys | [3.4.4, 3.4.4] | – |
| kk8myr2025 | [1.2.4, 1.2.4] | – |
| bigwin29 | [1.1.22, 1.1.22] | – |
| rule34news | [1.4.6, 1.4.6] | – |
| dyninstslots | [1.1.6, 1.1.6] | – |
| npmrcetest | [1.0.0, 1.0.0] | – |
| sandbox-plugin | [1.0.0, 1.0.0] | – |
| slot888_2025 | [1.1.0, 1.1.0] | – |
| raekwonchroniclesslots | [1.1.5, 1.1.5] | – |
| winboxmy2025 | [1.2.9, 1.2.9] | – |
| hubspot-cms-deploy | [1.0.0, 1.0.0] | – |
| teeble | [1.0.0, 1.0.0] | – |
| kk8my | [1.2.1, 1.2.1] | – |
| fachaibiz | [1.4.4, 1.4.4] | – |
| @tui-react-internal/select-account-icon | [1.99.99, 1.99.99] | – |
| emailphotogallery | [99.0.1, 99.0.1] | – |
| dyninstslots2025 | [1.1.16, 1.1.16] | – |
| mcwcasinoonline | [1.4.8, 1.4.8] | – |
| kk8my2025 | [1.2.2, 1.2.2] | – |
| preset-log | [7.11.8, 7.11.8] | – |
| 2025dyninstslots | [1.1.15, 1.1.17] | – |
| animalrightshistory | [1.1.0, 1.1.0] | – |
| preview-server-auth-test | [1.1.5, 1.1.5] | – |
| peerinstruction_888 | [1.1.0, 1.1.0] | – |
| lottery7club | [1.1.34, 1.1.34] | – |
| vite-postcss-tools | [0.0.2, 0.0.4] | – |
| superslotmax | [1.1.4, 1.1.4] | – |
| grallama | [1.0.0, 1.0.0] | – |
| wb888new | [3.4.7, 3.4.7] | – |
| tirangaclubb | [1.1.35, 1.1.35] | – |
| @ecommerce-cart-ui/client | [1.0.0, 189.0.0] | – |
| apple-psh | [0.1.0, 4.1.0] | – |
| newpgslot2025 | [1.1.4, 1.1.4] | – |
| dex-core-v2 | [9.9.9, 9.9.9] | – |
| supabase-react | [1.0.0, 1.0.0] | – |
| mcwcasino2025 | [1.1.21, 1.4.7] | – |
| fachaibiz2025 | [1.4.5, 1.4.5] | – |
| winbox88my3_2025 | [1.3.7, 1.3.7] | – |
| winbox88trust1 | [1.2.5, 1.2.5] | – |
| winbox2025new | [3.4.3, 3.4.3] | – |
| jquery-zoomer | [1.0.0, 1.0.0] | – |
| smederevo | [1.1.0, 1.1.0] | – |
| xurbansimsx2025 | [1.4.3, 1.4.3] | – |
| os-apps-ui-portal | [99.0.0, 99.0.0] | – |
| peerinstruction | [1.1.0, 1.1.0] | – |
| ultraconvert | [1.3.5, 1.3.9] | – |
| 2025bigwin29 | [1.1.32, 1.1.32] | – |
| winbox-mikrotik | [3.4.1, 3.4.1] | – |
| winbox88info2025 | [3.4.9, 3.4.9] | – |
| os-apps-ui-placement-manager | [99.0.0, 99.0.0] | – |
| tastegarden2025 | [3.4.11, 3.4.11] | – |
| @blocks-shared/atom-panel | [1.99.99, 1.99.99] | – |
| top4smm-panel | [1.1.39, 1.1.39] | – |
| smederevo_888 | [1.1.0, 1.1.0] | – |
| winbox882025 | [1.4.9, 1.4.9] | – |
| @yinc/ui | [99.9.1, 99.9.1] | – |
| os-apps-ui-creative-manager | [99.0.0, 99.0.1] | – |
| cookiefunctions | [9.0.3, 99.0.2] | – |
| octavianreport | [1.1.0, 1.1.0] | – |
| animalrightshistory_888 | [1.1.0, 1.1.0] | – |
参考链接
https://www.oscs1024.com/hd/MPS-8htd-4bis
安全处理建议
- 排查是否安装了受影响的包:
使用墨菲安全软件供应链安全平台等工具快速检测是否引入受影响的包。 - 立即移除受影响包:
若已安装列表中的恶意包,立即执行 npm uninstall <包名>,并删除node_modules和package-lock.json后重新安装依赖。 - 全面检查系统安全:
运行杀毒软件扫描,检查是否有异常进程、网络连接(重点关注境外 IP 通信),排查环境变量、配置文件是否被窃取(如数据库密码、API 密钥等),必要时重置敏感凭证。 - 加强依赖管理规范:
- 仅从官方 NPM 源安装组件,避免使用第三方镜像或未知来源的包。
- 使用npm audit、yarn audit定期检查依赖漏洞。
- 限制package.json中依赖的版本范围(如避免*或latest),优先选择下载量高、社区活跃的成熟组件。
- 集成墨菲安全软件供应链安全平台等工具自动监控风险。
一键自动排查全公司此类风险
墨菲安全为您免费提供一键排查全公司开源组件漏洞&投毒风险服务,可一键接入扫描全公司的代码仓库、容器镜像仓库、主机、制品仓库等。
试用地址:https://www.murphysec.com/apply?code=93XQ
提交漏洞情报:https://www.murphysec.com/bounty
关于本次投毒的分析
- 包名:@blocks-shared/atom-panel@1.99.99
攻击目标:博彩/在线游戏相关项目
理由:受影响包名含casino、slot、winbox等博彩关键词,如winbox88casino、mcwcasinoonline,针对性收集主机信息。
