The Darker Side of NPM

NPM package steals passwords from your Windows machine !

The actual scandal !

In a recent series of events, the Node Package Manager (npm) has become a threat to the digital world. The code that was being published onto the npm has been caught stealing passwords of the user via secured and legitimate account recovery tools in Google Chrome.

Upon investigation, it was found that there were two malicious npm packages which stole passwords stored in Chrome. This malware is multifunctional i.e., it can listen to the command of the attacker’s server and can also abuse with the infected system’s privacy. It can record & upload files from the victim’s camera and mic and can also play with the PowerShell commands.

In this article we will try to breakdown, how the dark web developer managed to abuse Chrome’s and npm’s security and was able to add malicious software into user’s local machines.

What is Npm ?

How was this exposed?

How chrunlee managed to abuse chrome’s security tools ?

Gaining control over npm configuration for persistency

Developer gets caught in his own trap.

Is npm facing this for the first time ?

Conclusion

What is NPM ?

NPM is considered to be the default package manager for Node.js runtime environments, which is similar to that of GitHub. It plays a key role in supply and management of JavaScript packages. It has over 1.5 M unique JS packages and manages more the 1 B JS requests in 24 hours.

How did this threat got exposed ? How was a repository with more than 12 billion users infected with such a malware ? How was it being unnoticed for over 6 months?

The answer to these questions lies inside to windows.exe files that were found in packages named nodejs_net_server and temptesttempfile by the researcher of ReversingLabs.

On an interesting note, the .exe files were named as Win32.Infostealer.Heuristics.

How was this exposed ?

The nodejs_net_server has over 1.3k total downloads and the temptesttempfile has over 800 total downloads. This malware was suspiciously caught by ReversingLabs’ Platform static analysis engine that works based on Machine learning algorithms.

The nodejs_net_server was updated about 6 months back authored by an active developer on GitHub named chrunlee. By using the static analysis, the researchers found out that, the Win32.Infostealer.Heuristics was originally a single-letter .exe file and usually a single-letter .exe file is a red flag for the threat hunters.

On further deep digging, it was found that the exe turned out to be ChromePass, a legitimate password recovery tool.

How chrunlee managed to abuse chrome’s security tools ?

Chrunlee managed to publish and buff the package with 12 versions & in the final version he managed to insert a script for downloading the password stealer when the developer hosts the website. This script enables the usage of the TeamViewer.exe which of course allows the attacker to access information of the user without user’s notice and this also loses the link between the malware and website to keep he malware unnoticed by different cloud web securities. Chrunlee started testing his software in different versions of the package by April 2020 and managed to launch the password-stealer script by December 2020.

Coming onto chrunlee’s second package i.e., temptesttempfile, posed various problems to the researchers since both the homepage readme and the GitHub repository links were redirected to non-existent webpages.

One of the files of this package, test.js implements the same remote shell functionality as that in the nodejs_net_server but this package didn’t perform any sort of hijacking but also lacked a persistence mechanism which made the motto suspicious and unclear.

Gaining control over npm configuration for persistency

Npm packages rely on methods like typosquatting and dependency confusion to catch malicious activity inside the package manager.

However, according to the researchers of ReversingLabs, no typosquatting was found in either of the packages which still is a confusion that how chrunlee attracted people towards installing this package.

On an interesting turn of events, it was found that whenever a developer installs the nodejs_net_server package, the malware tries to get access to the local machine by abusing the bin option.

The bin option is present in the package.json file and it is aimed for infecting and asserting access over the famous jstest package.

According to statistical data, jstest is one of the most downloaded JavaScript testing frameworks which makes it certain to be present in most of the NodeJS developers.

The malware doesn’t completely depend on the presence of the jstest in order to function but its presence eases the process of infection by providing persistence.

Chrunlee managed to automate the jstest command in the package which either way provides persistence to the malware as well as it also executes the backdoor functionality.

The command implemented by the malware by default overrides the existing jstest file and adds a test.js file which provides persistence to the malware for accessing the windows machine.

This newly added test.js service opens up port 7353 that allows to perform various surveillance activities and access to the user data:

• reverse host and port configuration
• file upload and search
• directory content listing
• shell command execution
• screen and camera access and recording
• password stealer via ChromePass recovery utility tool

Phew ! Why are we using our Windows machine now ?

The hijacker has access to everything. This sounds Dangerous. Hope you safely browsing and developing.

According the researchers only the nodejs_net_server was the package that can provide multiple access to the hijacker but the temptesttempfile could only provide shell commands access to the hijacker.

Developer gets caught in his own trap.

A funny incident came up during the investigation of this event i.e., during the earlier versions chrunlee leaked the credentials of his own computer.

While testing the malware the ChromePass utility opened up chrunlee’s personal passwords and over 250 login credentials were stored to a .txt file inside the repository and the file was named as a.exe.

Interestingly, the researchers also found that chrunlee never cared about the password policy practices and instead he used lame and common passwords like 1234.

In this manner, chrunlee himself fell into his own trap and published his personal weird passwords publicly.

Is npm facing this for the first time ?

No, this isn’t the first time malicious softwares are entering npm,

• In early 2021, three malicious packages were published onto npm which were capable of stealing tokens , information from Discord users.
• In November 2018, a malicious package was found which was basically a dependency to version 3.3.6 of the famous package, event-stream. This malicious package, called flatmap-stream, which contained an encrypted payload that was designed to steal Bitcoins from the Copay application.

Conclusion

The npm security have taken down both these packages from npm after an internal investigation.

With the growing number of technical hijacks in the recent times, it has become very difficult to sustain and rely on the third-party packages that we install onto our local machine.

The number of attacks occurring onto public repositories are increasing rapidly, while the security laboratories are trying their best to maintain cleanliness in the repositories but as a responsible developer, we should have a clarity about a third-party package before using it.

Happy Coding ! Safe Coding !

If you like my blogs, then you can support me with