NPM Malware

24th July 2021, Kathmandu

Threat to Google Chrome Passwords: NPM Malware. NPM malware was found exploiting passwords of Google Chrome.

It is a known incontrovertible fact that organizations and individuals should protect publicly exposed applications and services against latent threats. However, there are always weak links and threat actors are always on the lookout for straightforward ways to infiltrate a network. One of the ways to undertake so is by exploiting the trust placed in third-party code by developers. A software package from the npm repository has been spotted serving as a tool with an aim to steal passwords saved within the Chrome browser.

Security Analysts found the malware pilfering credentials from Chrome on Windows systems. The password-stealer package hears for incoming commands from the attacker’s command-and-control (C2) server and can upload files, record from a victim’s screen and camera, and execute shell commands as well, so, it is known to be multifunctional.

What’s up?

The malware was discovered utilizing legitimate password recovery tools on Windows systems which is capable of providing extra access to camera and screen, file lookup, directory list, file upload, and shell command execution. The packages are within the npm registry since 2018 and downloaded quite 2,000 times. Npm also holds numerous types of executables such as PE, ELF, and Mach-O, besides textual Javascript. ReversingLabs analysts, who published their discoveries in a Wednesday post, said that during an analysis of the code repository, they found an interesting embedded Windows executable file: a credential-stealing threat. Labeled “Win32.Infostealer.Heuristics”, it showed up in two packages: nodejs_net_server and temptest temp file.

For the time being, the first, main threat is nodejs_net_server.

Why it matters

For three years, the malware has inhabited the npm registry, which is a concerning factor. This threat vindicates the fact that attacks on open-source ecosystems are not going away anywhere. It also substantiates that the threats are capable of evading detection for long periods.

The bottom line

Npm as well as cybercriminals have also penetrated PyPI to illegitimately mine cryptocurrency. This latest news shows how developers sometimes put too much trust in third-party code. Public package repositories serve as a good hiding place for malware. Therefore, there is an increasing demand for security measures that would help promptly detect and protect against these threats.


Please enter your comment!
Please enter your name here