NPM is Now Providing Malware – or was until recently
Another malicious library has been spotted in the JavaScript-oriented NPM registry, underscoring the continued fragility of today's software supply chain.
Like other software package registries – repositories of code libraries for specific tasks – NPM, which was acquired last year by Microsoft's GitHub, has proven to be an effective mechanism for spreading malicious software. Developers tend to trust the modules they download from such services and typically incorporate them into their projects without much scrutiny.
On Wednesday, ReversingLabs, a software security analysis firm, said it had identified password-stealing code in the nodejs_net_server package distributed via NPM.
The package, maintained by an author identified as "chrunlee," debuted as a 1.0.0 release on February 28, 2019. According to ReversingLabs, the project evolved to include remote shell functionality over the next several versions and late last year gained password-stealing capabilities with its 1.1.0 release.
"In December 2020, the author made an upgrade to version 1.1.0 by adding a script to download [a password access tool called ChromePass] hosted on their personal website, with the URL location hxxps://chrunlee.cn/a.exe," the company explained in a blog post.
