Threat Watch

Malicious Package Removed From npm Website

Sonatype, known for its monitoring of public packet repositories, discovered a malicious JavaScript library on Friday that was originally published on npm’s website on the same day. The package was disguised with the name “twilio-npm” and would allow threat actors backdoor access to programmers’ computers via the malicious code that was contained within. While the package didn’t stay on the npm website very long, it was downloaded over 370 times and also was automatically included in any projects that ran the npm (Node Package Manager) command-line utility. According to the researcher Ax Sharma of Sonatype, the code found inside the packages would open a TCP reverse shell on all computers running Linux or Unix-based operating systems where the library was downloaded and imported inside JavaScript/npm/Node.js projects. From there, the shell connected to “4.tcp.ngrok[.]io:11425” where it was stagnant until new commands were received. As of yesterday, the npm team has blacklisted the package, but this does not mean users won’t still be affected.

ANALYST NOTES

Per the Sonatype security team, any device that has installed or is running the package should consider their device compromised. Any content that is considered important should be immediately removed from the affected device, including passwords, API keys, customer records, personal information, special code, etc.

Source: https://www.zdnet.com/article/malicious-npm-package-opens-backdoors-on-programmers-computers/