A software package available from the official NPM repository has been revealed to be actually a front for a tool that’s designed to steal saved passwords from the Chrome web browser. It demonstrated this ability by automatically prompting the user to reset their login credentials in a browser that it controlled on the same computer.

The package, called “Caught Stealing Passwords”, was uploaded to npm Hub on February 8th and removed shortly after. However, before its removal from the official repository it received more than 100 stars and 25 downloads on GitHub. According to its author, the software was meant to test the NPM service’s ability to remove malicious packages and its credibility in front of developers.

It’s not yet clear if the package has caused anyone any harm, although it is suspected that it can also be used as a backdoor into other users’ devices. While no one knows exactly what its creator’s intentions were, it’s been revealed that his or her name is “Alex”.

Stolen passwords are sent to a server located in China, however, its actual owner is unknown. NPM has said it will investigate and work with law enforcement agencies regarding the matter.

While the first version of the package was published just to test the process of publishing an NPM package, the developer, who went by the name of “chrunlee”, made revisions to implement a remote shell functionality which was improvised over several subsequent versions. The latest version of the software, which was published on April 14th, included a feature that would automatically push the password to a remote server when its author typed “passwd”, thereby bypassing any need for the user to manually enter their credentials. That triggered an alert in the user’s browser and prompted them to download and install a new version of Chrome.

“For a while, it seemed as if NPM would try to do what it could to keep this package in the business,” chrunlee wrote on GitHub. “Unfortunately, after the first iteration of this code and my previous post about it, I wasn’t able to get any support from their staff.”

After the initial pingback post was made on February 8th, the author updated his account and posted a follow-up message that responded to a Reddit user who noted that there were several empty comments below the description text. He did not fix them or respond until he received a private message where he apologized for causing concern over his initial submission.

ReversingLabs said it reported the rouge package to NPM’s security team twice, but noted that no action had been taken to date to take it down. On February 20th, the company stated that it discovered that both the description and the keywords had been filled with empty text only to keep the package up for users who search for it on NPM. In response to this, NPM’s chief technology officer put out a statement acknowledging the incident and revealing that an internal investigation was already underway.

According to the initial report by ReversingLabs, chrunlee had initially begun work on a software package that was designed to sniff out other malicious applications residing within NPM’s registry. At first, he attempted to gain access using passwords embedded in packages’ metadata and source code. It appeared that at least 10 accounts were compromised in this manner.

According to a company statement, NPM has taken steps to improve its security after the publication of ReversingLabs’ findings. For example, they have published more detailed instructions on how users can protect themselves in the event that they remain unconvinced by NPM’s promises regarding their software repository’s security.

“It’s not a guarantee that you won’t get hacked,” stated Isaac Z. Schlueter, who is the project’s chief technology officer. “But it means that everyone has to work really hard…and it also means that we can keep an eye out for things from an early stage.

NPM registry, which is the largest package manager in Node.js ecosystem, has been revealed to be lacking in security, and as such, any application that’s hosted on the service must be treated with caution. There are also other unscrupulous actors like ReversingLabs who are actively investigating open repositories even before they’re alerted by the developers. So, it’s best to keep an eye on your favorite NPM packages and look out for updates regularly to ensure that your applications remain safe from harm.

Interested in reading more about malware today? Malware Variations – Sophisticated in 2021 discusses the different types of malware in 2021 and how it is different from previous years in the past.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, NPM Package

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.