【高危】NPM组件 typescript-4.8 等窃取主机敏感信息
漏洞描述
当用户安装受影响版本的 typescript-4.8 等NPM组件包时会窃取主机的主机名、用户名、IP地址、/etc/passwd 文件等信息并发送到攻击者可控的服务器地址。
| MPS编号 | MPS-c0m5-bjdy |
|---|---|
| 处置建议 | 强烈建议修复 |
| 发现时间 | 2025-08-24 |
| 投毒仓库 | npm |
| 投毒类型 | 主机信息收集 |
| 利用成本 | 低 |
| 利用可能性 | 中 |
影响范围
| 影响组件 | 受影响的版本 | 最小修复版本 |
|---|---|---|
| rush-b | [99.0.9, 99.0.9] | – |
| conversation-memory | [99.0.9, 99.0.9] | – |
| remark-canonical-link-plugin | [99.0.9, 99.0.9] | – |
| mayfly-risk | [10.0.0, 10.13.0] | – |
| photo-agent | [99.0.9, 99.0.9] | – |
| example-fastify-api | [0.1.1, 0.1.1] | – |
| typescript-5.8 | [99.0.9, 99.0.9] | – |
| inicontohlagikak | [1.0.0, 1.0.0] | – |
| typescript-5.7 | [99.0.9, 99.0.9] | – |
| symphony-fairvis | [9.0.1, 9.0.1] | – |
| global-copilot-menu | [1.0.0, 1.4.0] | – |
| typescript-5.9 | [99.0.9, 99.0.9] | – |
| suppressions | [99.0.9, 99.0.9] | – |
| schema-author | [99.0.9, 99.0.9] | – |
| rush-cyclic-dep-1 | [99.0.9, 99.0.9] | – |
| knowpro-test | [99.0.9, 99.0.9] | – |
| oracle-agent | [99.0.9, 99.0.9] | – |
| invalid-polyfill-boolean | [99.0.9, 99.0.9] | – |
| heft-storybook-react-tutorial | [99.0.9, 99.0.9] | – |
| invalid-polyfill-missing | [10.0.1, 99.0.9] | – |
| typescript-4.8 | [99.0.9, 99.0.9] | – |
| package-extractor-test-03 | [99.0.9, 99.0.9] | – |
| heft-web-rig-library-tutorial | [99.0.9, 99.0.9] | – |
| typescript-5.5 | [99.0.9, 99.0.9] | – |
| microbit-robot | [99.0.9, 99.0.9] | – |
| knowpro | [99.0.9, 99.0.9] | – |
| typespec-http-dispatcher | [99.0.9, 99.0.9] | – |
| default-agent-provider | [99.0.9, 99.0.9] | – |
| agent-cache | [99.0.9, 99.0.9] | – |
| doc-plugin-rush-stack | [99.0.9, 99.0.9] | – |
| axe-core-scanner | [99.0.9, 99.0.9] | – |
| invalid-polyfill-boundary | [99.0.9, 99.0.9] | – |
| parser-tson | [1.2.3, 1.2.3] | – |
| eslint-9 | [99.0.9, 99.0.9] | – |
| other-pkg-b | [99.0.9, 99.0.9] | – |
| msalv2 | [99.0.9, 99.0.9] | – |
| cobadonglagi | [1.0.0, 1.0.0] | – |
| github-socket-worker | [1.4.0, 1.4.2] | – |
| remark-cross-site-link-plugin | [99.0.9, 99.0.9] | – |
| website-memory | [99.0.9, 99.0.9] | – |
| image-agent | [99.0.9, 99.0.9] | – |
| msalv3 | [99.0.9, 99.0.9] | – |
| typescript-5.6 | [99.0.9, 99.0.9] | – |
| greeting-agent | [99.0.9, 99.0.9] | – |
| rush-c | [99.0.9, 99.0.9] | – |
| run-scenarios-helpers | [99.0.9, 99.0.9] | – |
| heft-example-lifecycle-plugin | [99.0.9, 99.0.9] | – |
| parser-session | [1.0.0, 1.2.3] | – |
| server_msg | [3.0.4, 3.1.4] | – |
| azure-ai-foundry | [99.0.9, 99.0.9] | – |
| inicontohrcekak | [1.0.0, 3.0.0] | – |
| health-cards-validation-sdk | [99.0.9, 99.0.9] | – |
| typescript-5.1 | [99.0.9, 99.0.9] | – |
| api-extractor-lib4-test | [99.0.9, 99.0.9] | – |
| credit-app-ui | [99.1.1, 99.1.1] | – |
| typescript-6.0 | [99.0.9, 99.0.9] | – |
| montage-agent | [99.0.9, 99.0.9] | – |
| spelunker-agent | [99.0.9, 99.0.9] | – |
| typescript-5.3 | [99.0.9, 99.0.9] | – |
| typescript-4.9 | [99.0.9, 99.0.9] | – |
| eslint-8 | [99.0.9, 99.0.9] | – |
| knowledge-processor | [99.0.9, 99.0.9] | – |
| rushstack.io | [99.0.9, 99.0.9] | – |
| heft-example-plugin-02 | [99.0.9, 99.0.9] | – |
| typescript-5.4 | [99.0.9, 99.0.9] | – |
| heft-example-plugin-01 | [99.0.9, 99.0.9] | – |
| inihanyacontohkak | [1.0.0, 1.0.0] | – |
| rush-d | [99.0.9, 99.0.9] | – |
| browser-typeagent | [99.0.9, 99.0.9] | – |
| cld-ai-chatbot-web | [3.0.4, 3.1.4] | – |
| ng-tds | [999999.999999.999999, 999999.999999.999999] | – |
| action-schema-compiler | [99.0.9, 99.0.9] | – |
| examples-lib | [99.0.9, 99.0.9] | – |
| theme-rushstack-suite-nav | [99.0.9, 99.0.9] | – |
| image-memory | [99.0.9, 99.0.9] | – |
| android-mobile-agent | [99.0.9, 99.0.9] | – |
| rehype-headerless-table-plugin | [99.0.9, 99.0.9] | – |
| temp-nextjs | [99.0.9, 99.0.9] | – |
| heft-parameter-plugin | [99.0.9, 99.0.9] | – |
| eslint-oldest | [99.0.9, 99.0.9] | – |
| list-agent | [99.0.9, 99.0.9] | – |
| typescript-5.0 | [99.0.9, 99.0.9] | – |
| depconfusioncheckdontuse | [1.2.1, 1.2.1] | – |
| memory-providers | [99.0.9, 99.0.9] | – |
| decoupled-local-node-rig | [99.0.9, 99.0.9] | – |
| typescript-5.2 | [99.0.9, 99.0.9] | – |
| @google-analystics/extensions | [1.0.0, 1.0.0] | – |
| code-processor | [99.0.9, 99.0.9] | – |
| xpoc-ts-lib | [99.0.9, 99.0.9] | – |
| rush-cyclic-dep-2 | [99.0.9, 99.0.9] | – |
| my-first-npm-package-1337 | [1.0.0, 1.0.2] | – |
| this-should-be-ignored | [10.0.1, 99.0.9] | – |
| agent-dispatcher | [99.0.9, 99.0.9] | – |
| api-extractor-lib5-test | [99.0.9, 99.0.9] | – |
| eslint-8.23 | [99.0.9, 99.0.9] | – |
| msalv1 | [99.0.9, 99.0.9] | – |
| heft-minimal-rig-test | [99.0.9, 99.0.9] | – |
| @spdf/astrotheme | [0.0.1, 0.0.1] | – |
| prettier-v2 | [99.0.9, 99.0.9] | – |
| rushjs.io | [99.0.9, 99.0.9] | – |
| markdown-agent | [99.0.9, 99.0.9] | – |
| package-extractor-test-02 | [99.0.9, 99.0.9] | – |
参考链接
https://www.oscs1024.com/hd/MPS-c0m5-bjdy
安全处理建议
- 排查是否安装了受影响的包:
使用墨菲安全软件供应链安全平台等工具快速检测是否引入受影响的包。 - 立即移除受影响包:
若已安装列表中的恶意包,立即执行 npm uninstall <包名>,并删除node_modules和package-lock.json后重新安装依赖。 - 全面检查系统安全:
运行杀毒软件扫描,检查是否有异常进程、网络连接(重点关注境外 IP 通信),排查环境变量、配置文件是否被窃取(如数据库密码、API 密钥等),必要时重置敏感凭证。 - 加强依赖管理规范:
- 仅从官方 NPM 源安装组件,避免使用第三方镜像或未知来源的包。
- 使用npm audit、yarn audit定期检查依赖漏洞。
- 限制package.json中依赖的版本范围(如避免*或latest),优先选择下载量高、社区活跃的成熟组件。
- 集成墨菲安全软件供应链安全平台等工具自动监控风险。
一键自动排查全公司此类风险
墨菲安全为您免费提供一键排查全公司开源组件漏洞&投毒风险服务,可一键接入扫描全公司的代码仓库、容器镜像仓库、主机、制品仓库等。
试用地址:https://www.murphysec.com/adv?code=KTW1
提交漏洞情报:https://www.murphysec.com/bounty
关于本次投毒的分析
-
包名:typescript-4.8@99.0.9
攻击目标:TypeScript 相关开发项目
理由:模仿官方TypeScript包名,版本号异常高,可能通过依赖混淆攻击误安装的开发环境。 -
包名:rush-b@99.0.9
攻击目标:Rush Stack 多包项目
理由:与Rush工具相关命名,可能针对使用Rush管理的多包仓库环境。 -
包名:@google-analystics/extensions@1.0.0
攻击目标:Google Analytics 集成项目
理由:包名含拼写错误(analystics应为analytics),典型typosquatting,针对使用GA的Web项目。
