This Halloween, information security specialists from Sonatype discovered another malicious npm package with a built-in backdoor, which has already downloaded several hundred users.
After that, the security team of the most popular JavaScript package manager npm (Node Package Manager) removed the malicious JavaScript library twilio-npm from the npm website. The library contained malicious code that opened a backdoor to users’ computers.The library’s malicious behavior discovered Sonatype researchers, a company that studies public package repositories as part of its DevSecOps services.
Analysts say that the library was first published on the site last Friday, but on the same day it was noticed, and two days later it was removed from the site and blacklisted. Unfortunately, in those few days, the malware was downloaded more than 370 times.
The malicious code found in the fake Twilio opened a reverse shell (via TCP) on all machines where the library was loaded and imported into JavaScript/npm/Node.js projects. Then this reverse shell opened a connection with the address 4.tcp.ngrok[.]to: 11425 and waited for new commands to be received to be executed on the victim’s computers. Moreover, the researchers emphasize that the reverse shell worked only for UNIX-based operating systems.
It should be noted that this is not the first time, when a malicious package has been removed from the npm site in recent months. So, in September 2020, was discovered a package that stole files from Discord and browsers, and in October 2020, same Sonatype specialists identified at once four packages that collected and sent to their creators such data about user machines as IP addresses. computer username, home directory path, processor model, and country and city information.
Let me remind you that vulnerabilities in JavaScript are quite common, for example, recently even Avast disabled JavaScript-engine in its antivirus due to a dangerous bug.