nyc-config@1.3.0

Malicious
Verified
Analyzed at:3/10/2025, 12:52:31 PM
Source:https://registry.npmjs.org/nyc-config/-/nyc-config-1.3.0.tgz
SHA256:5a13133494835ca97242681496a1fb8bfbda42895f20e1295d43d0290abe416b
Confidence:High
Summary

This analysis was performed using vet and SafeDep Cloud Malicious Package Analysis. Integrate with GitHub using vet-action GitHub Action.

Note: This report is updated by a verification record

Hardcoded C&C IP, system info exfiltration, suspicious preinstall script, and multiple analysis confirmations point to malicious intent.

Verification Record

The package is marked as malware by OSV: MAL-2025-2227 with source: ghsa-malware

This package runs commands in a pre-install script that exfils sensitive data to a attacker-controlled domain.

-= Per source details. Do not edit below this line.=-

Source: ghsa-malware (83c7949463fd0e15f454229b42a3390cd388e5421cf90b12a13253be059b9792)

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Details

Note: This report is updated by a verification record

The package nyc-config version 1.3.0 exhibits strong indicators of malicious behavior based on the collected evidence. Multiple sources, including both YARA analysis and more reliable LLM-based file evaluation, point to the same malicious functionalities.

Specifically:

  • Command and Control (C&C) Communication: The package hardcodes an IP address (23.22.251.177:8080) within the index.js file, used to send data to a remote server. This is a clear indication of a C&C channel, allowing an attacker to control the compromised system.
  • System Information Exfiltration: The script actively collects sensitive system information, including hostname, OS details, IP addresses, username, and current working directory. This data is then transmitted to the C&C server, enabling the attacker to gain comprehensive knowledge of the affected system.
  • Public IP Address Lookup: The use of ipify.org to obtain the public IP address further strengthens the attacker's ability to track and monitor the compromised system.
  • Suspicious Pre-install Script: The package.json file includes a preinstall script that executes node index.js. This allows arbitrary code execution before the package is even installed, a common tactic to silently deploy malware.
  • Multiple Independent Verifications: The findings are corroborated by multiple independent analysis methods (YARA and LLM), increasing the confidence level in the assessment. While YARA rules can be noisy, the consistency with LLM findings is significant.

The combination of these factors strongly suggests that nyc-config 1.3.0 is a malicious package designed to exfiltrate sensitive information and provide remote access to an attacker. The lack of source project information further adds to the suspicion.