Malicious NPM Package Caught Stealing Users’ Saved Passwords From Browsers

Malicious NPM Package Caught Stealing Users’ Saved Passwords From Browsers 728 380 Haqtify

A software package available from the official NPM repository has been revealed to be actually a front for a tool that’s designed to steal saved passwords from the Chrome web browser.

The package in question, named “nodejs_net_server” and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub.

“It isn’t malicious by itself, but it can be when put into the malicious use context,” ReversingLabs researcher Karlo Zanki said in an analysis shared with The Hacker News. “For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line.”

While the first version of the package was put out just to test the process of publishing an NPM package, the developer, who went by the name of “chrunlee”, made follow-on revisions to implement a remote shell functionality which was improvised over several subsequent versions.

This was followed by the addition of a script that downloaded the ChromePass password-stealing tool hosted on their personal website (“hxxps://chrunlee.cn/a.exe”), only to modify it three weeks later to run TeamViewer remote access software.

 

Interestingly, the author also abused the configuration options of NPM packages specified in the “package.json” file, specifically the “bin” field that’s used to install JavaScript executables, to hijack the execution of a legitimate package named “jstest” — a cross-platform JavaScript test framework — with a malicious variant, exploiting it to launch a service via command line that’s capable of receiving an array of commands, including file lookup, file upload, shell command execution, and screen and camera recording.

ReversingLabs said it reported the rogue package to NPM’s security team twice, once on July 2 and again on July 15, but noted that no action has been taken to date to take it down. We have reached out to NPM for further clarification, and we’ll update the story once we hear back.

If anything, the development once again exposes the gaps in relying on third-party code hosted on public package repositories as software supply chain attacks become a popular tactic for threat actors to abuse the trust in interconnected IT tools to stage increasingly sophisticated security breaches.

“Growing popularity of software package repositories and their ease of use make them a perfect target,” Zanki said. “When developers reuse existing libraries to implement the needed functionality faster and easier, they rarely make in-depth security assessments before including them into their project.”

“This omission is a result of the overwhelming nature, and the vast quantity, of potential security issues found in third-party code. Hence in general, packages are quickly installed to validate whether they solve the problem and, if they don’t, move on to the alternative. This is a dangerous practice, and it can lead to incidental installation of malicious software,” Zanki added.

Update: The offending NPM package has now been pulled from the repository, with a GitHub spokesperson telling The Hacker News that “We removed the package in accordance with npm’s acceptable use policy regarding malware, as outlined in its Open-Source Terms.”

Visiting the NPM page for “nodejs_net_server” now displays the message “This package contained malicious code and was removed from the registry by the NPM security team.”