Npm package with millions of downloads is at risk from malware hijacking

News
By published

Hackers were deploying malware for six hours

A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
(Image credit: Shutterstock)
  • A popular npm maintainer fell prey to a phishing attack, sharing login credentials with cybercriminals
  • The attackers accessed their npm account and pushed malware through a popular package
  • They were removed six hours later, but users should still take caution

Experts have warned that ‘is’, an npm package with more than 2.8 million weekly downloads, was also compromised in the same manner, and served malware for roughly six hours.

This comes shortly after Eslint-config-prettier, another popular npm package, was recently compromised in a supply chain attack which made it serve malware, after its maintainer, JounQin, received an email that spoofed the support@npmjs.com account, asking them to “verify” their account which, when they did, gave the attackers their login credentials.

The access was used to push install versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of the eslint-config-prettier package, which carried malware. Other compromised packages belonging to the same developer include eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.

Backdoors and infostealers

Now, new reports claim that John Harband, the maintainer of the ‘is’ was also compromised the same way. The attackers maintained access for roughly six hours, during which they pushed versions 3.3.1 through 5.0.0, which contained malicious code.

‘Is’ is a lightweight JavaScript utility library that basically helps check what kind of value something is.

For example, it can tell you if something is a number, a list, or a word. It can also check if something is empty or if two things are the same.

It is simple, but rather popular, being widely used as a low-level utility dependency in development tools, testing libraries, build systems, and backend and CLI projects.

The malware deployed through these packages was a WebSocket-based backdoor that granted the attackers remote code execution capabilities on compromised endpoints. The Eslint one was also dropping Scavanger, an infostealer grabbing data stored in the web browser.

Via BleepingComputer

You might also like

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.