- NPM removed a malicious package called “bb-builder” after hosting it there for over a year.
- The discovery of the package came after an in-depth scan of the whole repository by ReversingLabs.
- Malicious actors love to infect development repositories as this is the basis for supply chain attacks.
NPM (Node Package Manager) has just removed a malicious package named “bb-builder” that was reportedly capable of stealing user login credentials from systems that it got installed on. The administrators of NPM marked the package’s risk as “severe” and warned people who installed it that their computers should be now considered “fully compromised”. The package executed an exfiltrator that was developed for Windows and sent the stolen user credentials to a remote server. That said, removing the package now from the repository or from the infected computers won’t change the fact that peoples’ secret keys have been already compromised.
The discovery of the malicious nature of all versions of bb-builder was made by Tomislav Pericin, co-founder of the ReversingLabs static analysis firm. The researcher scanned the entire NPM repository which consists of nine million packages and amounts to 35 terabytes of data. The same company had done something similar with the PyPI Python repository last month, discovering another malicious package called “libpeshnx”. As the analysis firm points out, these discoveries are natural, as package manager repositories that serve software development companies are a great point to plant something that will enable the launching of a supply chain attack.
The “bb-builder” remained in NPM for over a year without anyone noticing what it was doing, but thankfully, it wasn’t very popular. As it’s indicated from the repository stats, the number of downloads peaked at 78 in June. The name of the package is such that it could easily create confusion with other more popular packages, but it looks like developers are generally careful with what they are using as they are generally meticulous personalities.