This article is more than 1 year old
NPM is Now Providing Malware – or was until recently
Password-stealing package outed by security firm evokes sense of déjà vu
Like other software package registries – repositories of code libraries for specific tasks – NPM, which was acquired last year by Microsoft's GitHub, has proven to be an effective mechanism for spreading malicious software. Developers tend to trust the modules they download from such services and typically incorporate them into their projects without much scrutiny.
On Wednesday, ReversingLabs, a software security analysis firm, said it had identified password-stealing code in the
nodejs_net_server package distributed via NPM.
The package, maintained by an author identified as "chrunlee," debuted as a 1.0.0 release on February 28, 2019. According to ReversingLabs, the project evolved to include remote shell functionality over the next several versions and late last year gained password-stealing capabilities with its 1.1.0 release.
"In December 2020, the author made an upgrade to version 1.1.0 by adding a script to download [a password access tool called ChromePass] hosted on their personal website, with the URL location
hxxps://chrunlee.cn/a.exe," the company explained in a blog post.
That lasted about three weeks, until the release of version 1.1.1 on December 24, 2020, which saw the malicious script modified to run
TeamViewer.exe. ReversingLabs speculates this may have been to avoid having malware point at a personally associated website.
The 1.1.0 script fetched a file called
a.exe, a renamed version of the ChromePass utility, a Windows tool for accessing passwords stored within the Chrome web browser.
ReversingLabs notes that "chrunlee" appears to have captured personal credentials by mistake while working on the malware. Versions 1.1.1 and 1.1.2 of the
nodejs_net_server include login credentials that appear to have been captured as a result of testing ChromePass on the malware author's own computer. The text file spotted contained 282 login credentials, some of which might still be valid the security firm speculated, noting that some of them consist of underwhelming password choices like "asd123" and "111."
There have been 1,283 downloads of the package recorded since it was first published at the end of February 2019. While only version 1.1.0 included the password-stealing component, prior versions with remote shell functionality also represent cause for concern.
The author of the dodgy code chose an unusual way to trick targets into running the malicious executable – rather than resorting to the common tactic of typosquatting, the miscreant abused NPM's configuration mechanism to overwrite a popular testing package,
jstest (downloaded more than 36,000 times), so that the malicious executable gets activated.
"NPM packages provide a way to install one or more executable files into the PATH by providing a
bin field inside the
package.json configuration file," explains ReversingLabs. "Upon package installation, NPM will symlink that file to the
prefix/bin folder for global installs, or
./node_modules/.bin/ folder for local installs."
"Any name can be assigned to these executables and, in case when a module with the same name already exists, it would be overwritten and mapped to the script provided by the malware."
For global installations, NPM requires a special flag to force the operation, but that's not required for local package installations.
ReversingLabs says it notified NPM about its findings on July 2, 2021, and that the offending package was still available as of July 15, 2021. Presently, it's no longer available. Another package attributed to "chrunlee," called
tempdownloadtempfile, was also removed because it too included remote shell code.
- Trail of Bits security peeps emit tool to weaponize Python's insecure pickle files to hopefully now get everyone's attention
- Google dishes out homemade SLSA, a recipe to thwart software supply-chain attacks
- What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft
- Python Package Index nukes 3,653 malicious libraries uploaded soon after security shortcoming highlighted
Supply chain attacks on software package registries have become a frequent occurrence over the past few years. The NPM registry has seen numerous attacks of this sort, as has the Python Package Index (PyPI), and RubyGems.
In February, developer Alex Birsan revealed that last year he had managed to compromise the software supply chains of 35 companies by uploading non-functional malware to these various package services. Repeated demonstrations of the fragility of the package registry house of cards has led to advice from Microsoft and mitigation tools from Google.
"Repetitive discovery of malicious packages in these repositories has proven that there is a growing need for security solutions that can provide reliable identification and protection against these types of attacks," said ReversingLabs, clearly keen to be among those selling security salvation.
Even so, developers can be peevish when security tools like
npm audit prove to be more trouble than they're worth. ®