Malicious Package Was Stealing User Credentials on the NPM Repository

  • NPM removed a malicious package called “bb-builder” after hosting it there for over a year.
  • The discovery of the package came after an in-depth scan of the whole repository by ReversingLabs.
  • Malicious actors love to infect development repositories as this is the basis for supply chain attacks.

NPM (Node Package Manager) has just removed a malicious package named “bb-builder” that was reportedly capable of stealing user login credentials from systems that it got installed on. The administrators of NPM marked the package’s risk as “severe” and warned people who installed it that their computers should be now considered “fully compromised”. The package executed an exfiltrator that was developed for Windows and sent the stolen user credentials to a remote server. That said, removing the package now from the repository or from the infected computers won’t change the fact that peoples’ secret keys have been already compromised.

The discovery of the malicious nature of all versions of bb-builder was made by Tomislav Pericin, co-founder of the ReversingLabs static analysis firm. The researcher scanned the entire NPM repository which consists of nine million packages and amounts to 35 terabytes of data. The same company had done something similar with the PyPI Python repository last month, discovering another malicious package called “libpeshnx”. As the analysis firm points out, these discoveries are natural, as package manager repositories that serve software development companies are a great point to plant something that will enable the launching of a supply chain attack.

The “bb-builder” remained in NPM for over a year without anyone noticing what it was doing, but thankfully, it wasn’t very popular. As it’s indicated from the repository stats, the number of downloads peaked at 78 in June. The name of the package is such that it could easily create confusion with other more popular packages, but it looks like developers are generally careful with what they are using as they are generally meticulous personalities.

NPM is a repository that comes with a package management tool which is devoted to the JavaScript programming language. It is used for the storing, downloading, and linking of public or private packages, allowing users to consume and distribute JavaScript modules. Developers use NPM for local dependency management and automated package retrieval and installation. Because there’s no vetting in the registry, some of the packages in NPM can be of low quality or even malicious. Similar repositories that are devoted to other programming languages and projects, and that have been repeatedly compromised in the past are PyPI (Python), NuGet (.NET), and RubyGems (Ruby).

Have something to comment on the above? Feel free to share your thoughts down below, or discuss this news with our online community, on Facebook and Twitter.

REVIEW OVERVIEW

Latest

Indian Banks and Finance Companies Targeted by Multi-Staged JSOutProx RAT Malware

Indian banks and financial institutions are being targeted by a multi-tier JSOutProx RAT that acts in two stages.The malware uses spear-phishing emails...

Mega Deletes 144,000+ User Accounts for Repeated Copyright Infringement

Mega has changed its policies and terminated over 144,000 accounts for repeated copyright infringement violations.The company says flagged data is taken down...

YouTube Creators Targeted With Phishing Scams Based on Cookie Theft Malware

Google discoverd a new Cookie Theft-based phishing scam that targeted channels belonging to YouTube creators.Actors were sending phishing emails and hijacking channels...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari