Exfiltration (network)

The lstn tool appears to detect network connections by monitoring the metadata associated with processes and packages. When it encounters an unexpected outbound connection destination, it logs a message with details about the connection and metadata about the associated package and process, such as the npm package name, version, and the command line used to initiate the process. The tool may be using some form of network monitoring or packet sniffing to detect these connections.

For example:

   [medium] unexpected outbound connection destination (from transitive dependency contextify@0.1.15)
    commandline: node-gyp
    executable_path: /usr/local/bin/node
    file_descriptor: ::ffff:10.0.2.100:42960->2606:4700:10::6814:162e:0
    server_ip: 2606:4700:10::6814:162e

A network connection from a package during npm install could be malicious if the package sends sensitive data, such as user login credentials or system information, to an unauthorized third-party server. For example, a package may contain malicious code that establishes a connection to a server controlled by a hacker, who can then use the obtained information for malicious purposes such as identity theft or unauthorized access to a user's systems.

Last updated 1 month ago