Malicious npm package opens backdoors on programmers’ computers


Picture: npm, Armand Khoury, ZDNet

The npm safety crew has eliminated right this moment a malicious JavaScript library from the npm web site that contained malicious code for opening backdoors on programmers’ computer systems.

The JavaScript library was named “twilio-npm,” and its malicious conduct was found over the weekend by Sonatype, an organization that displays public package deal repositories as a part of its developer safety operations (DevSecOps) providers.

In a report published today, Sonatype mentioned the library was first revealed on the npm web site on Friday, was found on the identical day, and eliminated right this moment after the npm safety crew blacklisted the package deal.

Regardless of a brief lifespan on the npm portal, the library was downloaded greater than 370 occasions and routinely included in JavaScript initiatives constructed and managed through the npm (Node Package Manager) command-line utility.

Ax Sharma, the Sonatype safety researcher who found and analyzed the library, mentioned the malicious code discovered within the pretend Twilio library opened a TCP reverse shell on all computer systems the place the library was downloaded and imported inside JavaScript/npm/Node.js initiatives.

The reverse shell opened a connection to “four.tcp.ngrok[.]io:11425” from the place it waited to obtain new instructions to run on the contaminated customers’ computer systems.

Sharma mentioned the reverse shell solely labored on UNIX-based working programs.

Builders requested to alter credentials, secrets and techniques, keys

“Any laptop that has this package deal put in or working needs to be thought of absolutely compromised,” the npm safety crew said today, confirming Sonatype’s investigation.

“All secrets and techniques and keys saved on that laptop needs to be rotated instantly from a special laptop,” the npm crew added.

This marks the fourth main takedown of a malicious npm package deal over the previous three months.

In late August, the npm employees eliminated a malicious npm (JavaScript) library designed to steal delicate recordsdata from an contaminated customers’ browser and Discord utility.

In September, npm employees eliminated 4 npm (JavaScript) libraries for amassing consumer particulars and importing the stolen information to a public GitHub web page.

In October, the npm crew eliminated three npm (JavaScript) packages that have been additionally caught opening reverse shells (backdoors) on developer computer systems. The three packages have been additionally found by Sonatype. In contrast to the one found over the weekend, these three additionally labored on Home windows programs, and never simply UNIX-like programs.

Latest posts