NPM security team removes malicious package caught leaking data from UNIX systems
The package has been downloaded 32 times by developers
The security team at Node Package Manager (npm) has removed a malicious JavaScript package present in the npm repository, which was observed stealing sensitive data from UNIX systems.
The package, named 1337qq-js, was uploaded to the repository on 30th December 2019, and was downloaded at least 32 times over the past two weeks before it was spotted by Microsoft's Vulnerability Research team.
"This package name is not currently in use, but was formerly occupied by another package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we'll probably give it to you if you want it," npm team said in an update.
According to ZDNet, a detailed analysis of the package revealed that it targeted only UNIX systems and leaked sensitive information, including environment variables, running processes, uname-a, and npmrc file, through installation scripts.
Leaking information about environment variables is considered a major security issue as some web and mobile apps often use environment variables to store information such as API access tokens and hard-coded passwords.
The npm security team is advising developers to remove 1337qq-js package from their systems (in case they downloaded it) and rotate any compromised credentials.
This is, however, not the first instance of a malicious package being uploaded into the npm repository index.
In June 2019, hackers succeeded to backdoor an electronic local notification library to upload malicious code that eventually reached the Agama cryptocurrency wallet.
Earlier in November 2018, another hacker was able to steal cryptocurrency after uploading malicious code into the BitPay Copay desktop and mobile wallet apps.
Similar incidents were also reported in July 2018, May 2018 and April 2017.
Npm - the de-facto package manager for the JavaScript runtime environment Node.js - was created as an open source project in 2009 to help JavaScript developers to share packaged modules of code.
It consists of two components: a command line client (called npm) and the npm Registry.
The command line client allows developers to install and publish packages. The npm Registry is an online database of packages of open-source code for Node.js, mobile apps, front-end web apps, routers, robots, and many other needs of the JavaScript community.