More popular npm packages hijacked to spread malware

News
By published

Criminals tried to smuggle malware in a widely popular npm package

An abstract image of digital security.
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • A npm package maintainer has fallen victim to a phishing attack
  • The attackers accessed packages and updated them to carry malware
  • Most antivirus programs are still not properly flagging the malicious DLL

Several popular npm packages with millions of weekly downloads were targeted, and one used as a launchpad for malware deployment, when its maintainer fell prey to a phishing attack.

JounQin is a software developer that maintains eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.

These packages help integrate and streamline code formatting with Prettier and ESLint, manage async-to-sync tasks in Node.js, handle native binary installs, and support core utilities for bundling workflows.

Publishing a clean version

Prettier is a code formatting tool that enforces consistent style by automatically reformatting source code. ESLint, on the other hand, is a static code analysis tool that scans JavaScript and TypeScript code for bugs, style issues, and potential security flaws without running the code.

They recently received an email that spoofed the support@npmjs.com account, and which asked them to “verify” their account. They did so, and thus gave the attackers their login credentials. When the attackers gained access, they used it to install versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of the eslint-config-prettier package. The community quickly spotted something was amiss, and notified the developer.

It was determined the malicious version runs a postinstall script as soon as it is installed. This script tries to execute a DLL via the rundll32 Windows system process which is now being flagged as a trojan.

The majority of antivirus programs are still not flagging this .DLL as malware. So far, just 19 out of 72 engines are detecting this DLL as malicious.

"I've deleted that npm token and will publish a new version ASAP," JounQin said after realizing they were compromised. "Thanks all, and sorry for my negligence.”

Here is a list of the malicious packages which should be avoided:

eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7.

eslint-plugin-prettier versions 4.2.2 and 4.2.3.

synckit version 0.11.9

@pkgr/core version 0.2.8

napi-postinstall version 0.3.1

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.