NPM is Now Providing Malware – or was until recently

Password-stealing package outed by security firm evokes sense of déjà vu

Another malicious library has been spotted in the JavaScript-oriented NPM registry, underscoring the continued fragility of today's software supply chain.

Like other software package registries – repositories of code libraries for specific tasks – NPM, which was acquired last year by Microsoft's GitHub, has proven to be an effective mechanism for spreading malicious software. Developers tend to trust the modules they download from such services and typically incorporate them into their projects without much scrutiny.

On Wednesday, ReversingLabs, a software security analysis firm, said it had identified password-stealing code in the nodejs_net_server package distributed via NPM.

The package, maintained by an author identified as "chrunlee," debuted as a 1.0.0 release on February 28, 2019. According to ReversingLabs, the project evolved to include remote shell functionality over the next several versions and late last year gained password-stealing capabilities with its 1.1.0 release.

"In December 2020, the author made an upgrade to version 1.1.0 by adding a script to download [a password access tool called ChromePass] hosted on their personal website, with the URL location hxxps://," the company explained in a blog post.

That lasted about three weeks, until the release of version 1.1.1 on December 24, 2020, which saw the malicious script modified to run TeamViewer.exe. ReversingLabs speculates this may have been to avoid having malware point at a personally associated website.

The 1.1.0 script fetched a file called a.exe, a renamed version of the ChromePass utility, a Windows tool for accessing passwords stored within the Chrome web browser.

ReversingLabs notes that "chrunlee" appears to have captured personal credentials by mistake while working on the malware. Versions 1.1.1 and 1.1.2 of the nodejs_net_server include login credentials that appear to have been captured as a result of testing ChromePass on the malware author's own computer. The text file spotted contained 282 login credentials, some of which might still be valid the security firm speculated, noting that some of them consist of underwhelming password choices like "asd123" and "111."

There have been 1,283 downloads of the package recorded since it was first published at the end of February 2019. While only version 1.1.0 included the password-stealing component, prior versions with remote shell functionality also represent cause for concern.

Cunning coder

The author of the dodgy code chose an unusual way to trick targets into running the malicious executable – rather than resorting to the common tactic of typosquatting, the miscreant abused NPM's configuration mechanism to overwrite a popular testing package, jstest (downloaded more than 36,000 times), so that the malicious executable gets activated.

"NPM packages provide a way to install one or more executable files into the PATH by providing a bin field inside the package.json configuration file," explains ReversingLabs. "Upon package installation, NPM will symlink that file to the prefix/bin folder for global installs, or ./node_modules/.bin/ folder for local installs."

"Any name can be assigned to these executables and, in case when a module with the same name already exists, it would be overwritten and mapped to the script provided by the malware."

For global installations, NPM requires a special flag to force the operation, but that's not required for local package installations.

ReversingLabs says it notified NPM about its findings on July 2, 2021, and that the offending package was still available as of July 15, 2021. Presently, it's no longer available. Another package attributed to "chrunlee," called tempdownloadtempfile, was also removed because it too included remote shell code.

Supply chain attacks on software package registries have become a frequent occurrence over the past few years. The NPM registry has seen numerous attacks of this sort, as has the Python Package Index (PyPI), and RubyGems.

In February, developer Alex Birsan revealed that last year he had managed to compromise the software supply chains of 35 companies by uploading non-functional malware to these various package services. Repeated demonstrations of the fragility of the package registry house of cards has led to advice from Microsoft and mitigation tools from Google.

"Repetitive discovery of malicious packages in these repositories has proven that there is a growing need for security solutions that can provide reliable identification and protection against these types of attacks," said ReversingLabs, clearly keen to be among those selling security salvation.

Even so, developers can be peevish when security tools like npm audit prove to be more trouble than they're worth. ®

Other stories you might like

  • US won’t prosecute ‘good faith’ security researchers under CFAA
    Well, that clears things up? Maybe not.

    The US Justice Department has directed prosecutors not to charge "good-faith security researchers" with violating the Computer Fraud and Abuse Act (CFAA) if their reasons for hacking are ethical — things like bug hunting, responsible vulnerability disclosure, or above-board penetration testing.

    Good-faith, according to the policy [PDF], means using a computer "solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability."

    Additionally, this activity must be "carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services."

    Continue reading
  • Intel plans immersion lab to chill its power-hungry chips
    AI chips are sucking down 600W+ and the solution could be to drown them.

    Intel this week unveiled a $700 million sustainability initiative to try innovative liquid and immersion cooling technologies to the datacenter.

    The project will see Intel construct a 200,000-square-foot "mega lab" approximately 20 miles west of Portland at its Hillsboro campus, where the chipmaker will qualify, test, and demo its expansive — and power hungry — datacenter portfolio using a variety of cooling tech.

    Alongside the lab, the x86 giant unveiled an open reference design for immersion cooling systems for its chips that is being developed by Intel Taiwan. The chip giant is hoping to bring other Taiwanese manufacturers into the fold and it'll then be rolled out globally.

    Continue reading
  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading

Biting the hand that feeds IT © 1998–2022