Popular NPM packages with over a million downloads hit by malware

News
By published

More than a dozen NPM packages had to be deprecated as a result

open source software
(Image credit: Pixabay)
  • 17 NPM packages with more than a million weekly downloads were compromised to deliver a RAT
  • The attack could turn into a major supply chain attack, experts warned
  • The packages were since deprecated, but users should be on their guard

More than a dozen packages on NPM were poisoned with a Remote Access Trojan (RAT), possibly infecting millions of projects.

Cybersecurity researchers Aikido Security recently discovered malicious code buried very deep in 17 popular Gluestack packages.

The packages cumulatively have more than a million downloads weekly, meaning huge amounts of users could possibly be affected, the experts warned.

Revoking access tokens

Here is the full list of compromised packages:

  • @react-native-aria/button
  • @react-native-aria/checkbox
  • @react-native-aria/combobox
  • @react-native-aria/disclosure
  • @react-native-aria/focus
  • @react-native-aria/interactions
  • @react-native-aria/listbox
  • @react-native-aria/menu
  • @react-native-aria/overlays
  • @react-native-aria/radio
  • @react-native-aria/switch
  • @react-native-aria/toggle
  • @react-native-aria/utils
  • @gluestack-ui/utils
  • @react-native-aria/separator
  • @react-native-aria/slider
  • @react-native-aria/tabs

The packages deployed malicious code that connected to the attackers’ command-and-control (C2) and received additional commands including, among other things, the ability to upload a single, or multiple files.

Furthermore, the trojan can execute Windows PATH hijacking and silently override legitimate python and pip commands.

In response, Gluestack revoked an access token used to publish the compromised packages. All of the poisoned tools are marked on NPM as deprecated.

"Unfortunately, unpublishing the compromised version wasn’t possible due to dependent packages," a GlueStack developer said on GitHub. "As a mitigation, I have deprecated the affected versions and updated the latest tag to point to a safe, older version."

The Node Package Manager (NPM) is the default package manager for the JavaScript runtime environment Node.js. It is used to install libraries, share packages with the community, manage dependencies, run scripts, and more.

As such, it is vastly popular, having millions of monthly visitors, and hundreds of thousands of registered accounts that frequently publish their packages.

Unfortunately, popular platforms attract threat actors in droves, and situations such as this one are not uncommon on NPM, or similar platforms such as GitHub or PyPi.

Via BleepingComputer

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.