A malicious package was removed today from the npm repository after it was discovered that it stole login information from the computers it was installed on.
The npm repository is a popular online database for open-source packages that are often used as dependencies in Node.js projects.
Earlier today, npm pulled the package ‘bb-builder’ from the repository, marking it as malicious and having critical severity.
The advisory warns that computers that had this package installed or running should be considered “fully compromised” because it deployed an executable for Windows operating system that sent sensitive information to a remote server.
“All secrets and keys stored on that computer should be rotated immediately from a different computer,” npm advises.
npm received the alert on the package from Tomislav Pericin, co-founder and chief software architect at ReversingLabs, a company that provides automated static analysis and file reputation services.
The researcher told BleepingComputer he found the bad package after scanning the entire npm repository for dangerous entries – about nine million packages that translate to 35TB of decompressed data.
Not long ago, ReversingLabs performed a similar scan on the PyPI repository for Python packages and found the ‘libpeshnx’ library that contained a malicious function that downloaded a backdoor.
Action beyond package removal is necessary
Pericin told us that ‘bb-builder’ had been added to npm after compromising the account owner’s credentials. It stayed undiscovered for a year.
The package was purposefully given to be confused with other packages that developers use on a more frequent basis.
However, ‘bb-builder’ was not a popular choice, as its installation statistics show few weekly downloads. The most active period was between June 19-25 when the number downloads peaked at 78.
npm advises developers to remove this package, but warns that this action may not be sufficient to ensure that the system is clean.