Malicious package that steals credentials detected in npm repository

A malicious package that steals credentials from the systems on which it is installed was discovered in the npm package repository.

The npm package manager is a popular online database for open source packages used as dependencies in Node.js projects.

On Wednesday, August 21, the bb-builder package, which turned out to be malicious, was removed from it.

According to the npm notification, the systems on which bb-builder was installed should be considered “completely compromised” because the package deploys an executable file for Windows that sends sensitive information to a remote server.

“All secrets and keys stored on that computer should be rotated immediately from a different computer”, – the notification says.

Tomislav Pericin, co-founder and chief software architect at ReversingLabs, a company that provides automated static analysis, discovered a malicious package and file reputation services, during a full npm scan for dangerous elements. In total, Pericin scanned about 9 million packets, representing 35 TB of decompressed data.

Read also: Webmin code hid backdoor for more than a year

According to a specialist, bb-builder was added to npm through a compromised foreign account and stayed there for a year.

Tomislav Pericin

The package was intentionally mixed with other packages that developers use more often. Obviously, the attackers hoped that the developers would confuse bb-builder with another more popular package and mistakenly use it in their projects.

“However, ‘bb-builder’ was not a popular choice, as its installation statistics show few weekly downloads. The most active period was between June 19-25 when the number downloads peaked at 78”, — reported Tomislav Pericin.

As it was reported earlier, malicious versions of the Ruby libraries were detected in the RubyGems package manager. The libraries contained a backdoor that installs a cryptocurrency miner on compromised systems.

Reorganization

According to npn post, the package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.

Exit mobile version