This article is more than 1 year old

NPM is Now Providing Malware – or was until recently

Password-stealing package outed by security firm evokes sense of déjà vu

Another malicious library has been spotted in the JavaScript-oriented NPM registry, underscoring the continued fragility of today's software supply chain.

Like other software package registries – repositories of code libraries for specific tasks – NPM, which was acquired last year by Microsoft's GitHub, has proven to be an effective mechanism for spreading malicious software. Developers tend to trust the modules they download from such services and typically incorporate them into their projects without much scrutiny.

On Wednesday, ReversingLabs, a software security analysis firm, said it had identified password-stealing code in the nodejs_net_server package distributed via NPM.

The package, maintained by an author identified as "chrunlee," debuted as a 1.0.0 release on February 28, 2019. According to ReversingLabs, the project evolved to include remote shell functionality over the next several versions and late last year gained password-stealing capabilities with its 1.1.0 release.

"In December 2020, the author made an upgrade to version 1.1.0 by adding a script to download [a password access tool called ChromePass] hosted on their personal website, with the URL location hxxps://," the company explained in a blog post.

That lasted about three weeks, until the release of version 1.1.1 on December 24, 2020, which saw the malicious script modified to run TeamViewer.exe. ReversingLabs speculates this may have been to avoid having malware point at a personally associated website.

The 1.1.0 script fetched a file called a.exe, a renamed version of the ChromePass utility, a Windows tool for accessing passwords stored within the Chrome web browser.

ReversingLabs notes that "chrunlee" appears to have captured personal credentials by mistake while working on the malware. Versions 1.1.1 and 1.1.2 of the nodejs_net_server include login credentials that appear to have been captured as a result of testing ChromePass on the malware author's own computer. The text file spotted contained 282 login credentials, some of which might still be valid the security firm speculated, noting that some of them consist of underwhelming password choices like "asd123" and "111."

There have been 1,283 downloads of the package recorded since it was first published at the end of February 2019. While only version 1.1.0 included the password-stealing component, prior versions with remote shell functionality also represent cause for concern.

Cunning coder

The author of the dodgy code chose an unusual way to trick targets into running the malicious executable – rather than resorting to the common tactic of typosquatting, the miscreant abused NPM's configuration mechanism to overwrite a popular testing package, jstest (downloaded more than 36,000 times), so that the malicious executable gets activated.

"NPM packages provide a way to install one or more executable files into the PATH by providing a bin field inside the package.json configuration file," explains ReversingLabs. "Upon package installation, NPM will symlink that file to the prefix/bin folder for global installs, or ./node_modules/.bin/ folder for local installs."

"Any name can be assigned to these executables and, in case when a module with the same name already exists, it would be overwritten and mapped to the script provided by the malware."

For global installations, NPM requires a special flag to force the operation, but that's not required for local package installations.

ReversingLabs says it notified NPM about its findings on July 2, 2021, and that the offending package was still available as of July 15, 2021. Presently, it's no longer available. Another package attributed to "chrunlee," called tempdownloadtempfile, was also removed because it too included remote shell code.

Supply chain attacks on software package registries have become a frequent occurrence over the past few years. The NPM registry has seen numerous attacks of this sort, as has the Python Package Index (PyPI), and RubyGems.

In February, developer Alex Birsan revealed that last year he had managed to compromise the software supply chains of 35 companies by uploading non-functional malware to these various package services. Repeated demonstrations of the fragility of the package registry house of cards has led to advice from Microsoft and mitigation tools from Google.

"Repetitive discovery of malicious packages in these repositories has proven that there is a growing need for security solutions that can provide reliable identification and protection against these types of attacks," said ReversingLabs, clearly keen to be among those selling security salvation.

Even so, developers can be peevish when security tools like npm audit prove to be more trouble than they're worth. ®

More about


Send us news

Other stories you might like