0 4 min 3 mths
NPM package

A software package available in the official NPM repository has actually turned out to be a facade for a tool designed to steal saved passwords from the Chrome web browser.

The package in question, named “nodejs_net_server“and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub.

“It’s not inherently malicious, but it can be when placed in the context of malicious use,” Karlo Zanki, Researcher at ReversingLabs. mentionned in an analysis shared with The Hacker News. “For example, this package uses it to perform malicious password theft and credential exfiltration. Even though this standard password recovery tool comes with a graphical user interface, the authors of malware like to use it because it can also be run from the command line. “

Stack Overflow Teams

While the first version of the package was released only to test the process of releasing an NPM package, the developer, who went by name “chrunlee”, made revisions to implement a remote shell feature that was improvised on several later versions.

This was followed by the addition of a script that downloaded the ChromePass password theft tool hosted on their personal website (“hxxps: //chrunlee.cn/a.exe”), then changed it three weeks later to run TeamViewer remote access software.


Interestingly, the author also abused the NPM package configuration options specified in the “package.json” file, specifically the “trash can“which is used to install JavaScript executables, to deploy a legitimate package named” jstest “, a cross-platform JavaScript test framework, the operator to launch a service via a command line capable of receiving an array of commands, including the file search, file download, execution of shell commands, and screen and camera recording.

ReversingLabs said it reported the malicious package to NPM’s security team twice, once on July 2 and another on July 15, but noted that no action has been taken to date to remove it. . We have reached out to NPM for further clarification, and will update the story once we receive a response.

Prevent data breaches

If anything, the development once again exposes the loopholes by relying on third-party code hosted on public package repositories like software supply chain attacks are becoming a popular tactic for threat actors to abuse trust in interconnected computer software to stage increasingly sophisticated security breaches.

“The growing popularity of software repositories and their ease of use make them an ideal target,” Zanki said. “When developers reuse existing libraries to implement needed functionality faster and easier, they rarely perform in-depth security assessments before including them in their project. “

“This omission is the result of the overwhelming nature and large amount of potential security issues found in third-party code. Therefore, in general, packages are quickly installed to validate whether they resolve the issue and, if they do so. do not, go to the alternative. It is a dangerous practice, and it can lead to the accidental installation of malware, ”Zanki added.

Leave a Reply

Your email address will not be published. Required fields are marked *