Information security specialists discovered another malicious npm package with a backdoor

malicious npm package
Written by Emma Davis

This Halloween, information security specialists from Sonatype discovered another malicious npm package with a built-in backdoor, which has already downloaded several hundred users.

After that, the security team of the most popular JavaScript package manager npm (Node Package Manager) removed the malicious JavaScript library twilio-npm from the npm website. The library contained malicious code that opened a backdoor to users’ computers.

The library’s malicious behavior discovered Sonatype researchers, a company that studies public package repositories as part of its DevSecOps services.

Fortunately, however, the malware that was disguised and lurking inside the npm open source registry, was rapidly detected by Sonatype’s Release Integrity malicious code detection service.wrote npm security team.

Analysts say that the library was first published on the site last Friday, but on the same day it was noticed, and two days later it was removed from the site and blacklisted. Unfortunately, in those few days, the malware was downloaded more than 370 times.

The malicious code found in the fake Twilio opened a reverse shell (via TCP) on all machines where the library was loaded and imported into JavaScript/npm/Node.js projects. Then this reverse shell opened a connection with the address 4.tcp.ngrok[.]to: 11425 and waited for new commands to be received to be executed on the victim’s computers. Moreover, the researchers emphasize that the reverse shell worked only for UNIX-based operating systems.

Any computer on which this package was installed or running should be considered completely compromised. All secrets and keys stored on this computer must be immediately updated from another computer.warn npm experts, fully confirming Sonatype's information.

It should be noted that this is not the first time, when a malicious package has been removed from the npm site in recent months. So, in September 2020, was discovered a package that stole files from Discord and browsers, and in October 2020, same Sonatype specialists identified at once four packages that collected and sent to their creators such data about user machines as IP addresses. computer username, home directory path, processor model, and country and city information.

Let me remind you that vulnerabilities in JavaScript are quite common, for example, recently even Avast disabled JavaScript-engine in its antivirus due to a dangerous bug.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply