NPM security team removes malicious package caught leaking data from UNIX systems
The package, named 1337qq-js, was uploaded to the repository on 30th December 2019, and was downloaded at least 32 times over the past two weeks before it was spotted by Microsoft’s Vulnerability Research team.
“This package name is not currently in use, but was formerly occupied by another package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we’ll probably give it to you if you want it,” npm team said in an update.
According to ZDNet, a detailed analysis of the package revealed that it targeted only UNIX systems and leaked sensitive information, including environment variables, running processes, uname-a, and npmrc file, through installation scripts.
Leaking information about environment variables is considered a major security issue as some web and mobile apps often use environment variables to store information such as API access tokens and hard-coded passwords.
The npm security team is advising developers to remove 1337qq-js package from their systems (in case they downloaded it) and rotate any compromised credentials.
This is, however, not the first instance of a malicious package being uploaded into the npm repository index.
In June 2019, hackers succeeded to backdoor an electronic local notification library to upload malicious code that eventually reached the Agama cryptocurrency wallet.
Earlier in November 2018, another hacker was able to steal cryptocurrency after uploading malicious code into the BitPay Copay desktop and mobile wallet apps.
Similar incidents were also reported in July 2018, May 2018 and April 2017.
It consists of two components: a command line client (called npm) and the npm Registry.