What is NPM?
NPM is a node packet manager used to maintain and manage javascript and jquery libraries similar to other packet managers such as PyPI, RubyGems, Apache Maven, etc. The NPM repository is an easy and quick way to manage, share and install npm packages. It is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome’s V8 JavaScript engine.
So before going much deeper let us first get a clear idea about the NPM package manager, The NPM package manager is used by millions of developers every single day. They use the packages from the repository for their projects since they are from a trusted and legitimate source also helps them to complete their job easily and quickly. This allows developers to greatly extend the functionality of their JavaScript applications.
NPM is open-source, which means that anyone can contribute to it and that's where it becomes dangerous!!
NPM malware that can gain access to passwords saved in chrome browser,
On 07/02/2021 security researchers from ReversingLabs reported malicious packages that are found in the NPM repository to the NPM security team those packages were nodejs_net_server and tempdownloadtempfile.
How they found the malicious packages?
Firstly, ReversingLabs security researchers made static analysis over the entire NPM repository with Titanium Platform static analysis engine which is an advanced malware analysis platform. By which they found that the NPM repository not only contains javascript files but also executables such as PE, ELF, and Mach-O within its packages.
On continuing the analysis further, they found Win32.Infostealer.Heuristics file detected by the static analysis engine and it seemed to be a promising lead for the researchers. The researchers later found the same file on several versions of the nodejs_net_server package and also in tempdownloadtempfile package.
By analyzing the metadata of several versions of the nodejs_net_server package the researchers found that the original name of the file Win32.Infostealer.Heuristics to be "a.exe" which was located inside the lib folder. And clearly, it seemed to be a red flag for additional inspection.
Based on additional inspection they found a.exe file to be a password stealer malware that could also act as a C2 server. The a.exe file was designed to steal saved passwords from the chrome web browser.
Examining the a.exe file it revealed that it was ChromePass utility which is a tool used for password recovery in windows, it allows users to view the usernames and passwords that are stored by Google chrome web browser.
The ChromePass tool is not considered to be malicious but depending on where and how it is used it may be malicious. The malware author used this as it can be used to run from the command line and to get all usernames and passwords that are stored in chrome browser in windows machine.
According to the information given by the ReversingLabs security researchers, the nodejs_net_server package had 12 versions published and more than 1283 downloads since the package was first published in February 2019. The package was authored by "chrunlee".
The developer implemented a remote shell in the nodejs_net_server package which was polished over several subsequent versions over time. The last upgrade “chrunlee” made to NPM malware on the nodejs_net_server package was the script that steals credentials on Windows systems using the ChromePass feature. The script is hosted on the threat actor’s website but he managed to hide it subsequently by running TeamViewer.exe to not make the connection with the hacker’s website so visible.
The second package tempdownloadtempfile had no existing links. Even though one of its files – file/test.js had the same remote shell functionality as the ones found in the nodejs_net_server package this package doesn’t perform execution hijacking, and it lacks a persistence mechanism and so it is not considered to be dangerous like the previous one.
After inspecting the nodejs_net_server and tempdownloadtempfile which were reported by the security researchers, the NPM security team removed them after validating them to be malicious.
This is not the first time something like this is happening in NPM. NPM has been the focal point of hackers and security researchers for a very long time being open source and used by over 10 million users who download well over 30 billion packages every month it is a thing of concern.
Comment your thoughts on what do you think of NPM and the whole open-source software packages and practices and how can we secure them or can we?
Do check our other posts on cyber and AI here.
Follow us on Instagram for the latest updates in Cybersecurity and AI.
Comentários