Malicious Package Affecting sys.forms.26 package, versions [0,]
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
Exploit Maturity
Mature
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-DOTNET-SYSFORMS26-3370723
- published 24 Mar 2023
- disclosed 24 Mar 2023
- credit JFrog
How to fix?
Avoid using all malicious instances of the Sys.Forms.26
package.
Overview
Sys.Forms.26 is a malicious package. This package adopts typosquatting techniques and attempts to trick users into downloading it.
It contains a PowerShell script that will execute upon installation and trigger a download of a 2nd stage
payload, which can be remotely executed.
Indicators of compromise:
https[:]//discord[.]com/api/webhooks/1076330498026115102/MLkgrUiivlgAoFWyvkSpLsBE3DMaDZd9cxPK3k9XQPyh6dw55jktV6qfDgxbs5AaY7Py
62[.]182[.]84[.]61
194[.]233[.]93[.]50
195[.]58[.]39[.]167
https[:]//paste[.]bingner[.]com/paste/xden6/raw
Squirrel-2021\Updater[.]exe