Home / Security / npm Pulls Malicious Package that Stole Login Passwords

npm Pulls Malicious Package that Stole Login Passwords

A malicious package was removed today from the npm repository after it was discovered that it stole login information from the computers it was installed on.

The npm repository is a popular online database for open-source packages that are often used as dependencies in Node.js projects.

Critical severity

Earlier today, npm pulled the package ‘bb-builder’ from the repository, marking it as malicious and having critical severity.

The advisory warns that computers that had this package installed or running should be considered “fully compromised” because it deployed an executable for Windows operating system that sent sensitive information to a remote server.

“All secrets and keys stored on that computer should be rotated immediately from a different computer,” npm advises.

npm received the alert on the package from Tomislav Pericin, co-founder and chief software architect at ReversingLabs, a company that provides automated static analysis and file reputation services.

The researcher told BleepingComputer he found the bad package after scanning the entire npm repository for dangerous entries – about nine million packages that translate to 35TB of decompressed data.

Not long ago, ReversingLabs performed a similar scan on the PyPI repository for Python packages and found the ‘libpeshnx’ library that contained a malicious function that downloaded a backdoor.

Action beyond package removal is necessary

Pericin told us that ‘bb-builder’ had been added to npm after compromising the account owner’s credentials. It stayed undiscovered for a year.

The package was purposefully given to be confused with other packages that developers use on a more frequent basis.

However, ‘bb-builder’ was not a popular choice, as its installation statistics show few weekly downloads. The most active period was between June 19-25 when the number downloads peaked at 78.

npm advises developers to remove this package, but warns that this action may not be sufficient to ensure that the system is clean.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.” – npm

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

x

Check Also

USN-4279-2: PHP regression

php7.0 regression A security issue affects these releases of Ubuntu and its derivatives: Ubuntu 16.04 ...