The malicious file was uploaded on December 31

Jan 16, 2020 12:32 GMT  ·  By

Microsoft has detected and reported a malicious npm file that was uploaded to the Node.js platform npm on December 31.

In an official advisory acknowledging the malicious package, npm reveals that the malicious code was discovered in 1337qq-js, which has already been downloaded by more than 30 users.

All versions ranging in between 1.0.11 and 1.0.9 include the malicious code, according to the advisory. On the other hand, version 0.0.1-security is completely clean and can be safely downloaded.

Microsoft reported the package on January 13 and the advisory was published on the same day just after its removal.

The malicious code specifically targets UNIX system, and it uses install scripts to exfiltrate sensitive information such as environment variables, running processes, the npmrc file, uname -a, and /etc/hosts content.

The advisory, which has a critical severity rating, indicates that the only way to remove the infection is to delete the package for the system and rotate any compromised credentials.

npm security issues

npm security advisories are becoming more common, and last month, a total of 17 packages came with vulnerabilities that allowed for malicious activities, such as information exposure and cross-site scripting.

For example, a command injection bug discovered in the hot-formula-parser package in mid-December affected all versions prior to 3.0.1. The issue was fixed in the latest updates, and in a January 9 advisory, users are recommended to deploy this as soon as possible.

“Versions of hot-formula-parser prior to 3.0.1 are vulnerable to Command Injection. The package fails to sanitize values passed to the parse function and concatenates it in an eval call. If a value of the formula is supplied by user-controlled input it may allow attackers to run arbitrary commands in the server,” the advisory reads.

A full list of the latest npm security advisories is available on this page.