Npm package with millions of downloads is at risk from malware hijacking

  • A popular npm maintainer fell prey to a phishing attack, sharing login credentials with cybercriminals
  • The attackers accessed their npm account and pushed malware through a popular package
  • They were removed six hours later, but users should still take caution

Experts have warned that ‘is’, an npm package with more than 2.8 million weekly downloads, was also compromised in the same manner, and served malware for roughly six hours.

This comes shortly after Eslint-config-prettier, another popular npm package, was recently compromised in a supply chain attack which made it serve malware, after its maintainer, JounQin, received an email that spoofed the support@npmjs.com account, asking them to “verify” their account which, when they did, gave the attackers their login credentials.

The access was used to push install versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of the eslint-config-prettier package, which carried malware. Other compromised packages belonging to the same developer include eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.

Backdoors and infostealers

Now, new reports claim that John Harband, the maintainer of the ‘is’ was also compromised the same way. The attackers maintained access for roughly six hours, during which they pushed versions 3.3.1 through 5.0.0, which contained malicious code.

‘Is’ is a lightweight JavaScript utility library that basically helps check what kind of value something is.

For example, it can tell you if something is a number, a list, or a word. It can also check if something is empty or if two things are the same.

It is simple, but rather popular, being widely used as a low-level utility dependency in development tools, testing libraries, build systems, and backend and CLI projects.

The malware deployed through these packages was a WebSocket-based backdoor that granted the attackers remote code execution capabilities on compromised endpoints. The Eslint one was also dropping Scavanger, an infostealer grabbing data stored in the web browser.

Via BleepingComputer

You might also like

Related Articles

Sem imagem Nomadful ID
Sem imagem Agents Base Phone Agents
Forget no-log claims – this new VPN promises its tech can never reveal your identity, even if it wanted to Forget no-log claims – this new VPN promises its tech can never reveal your identity, even if it wanted to
Europol says it disrupted a major pro-Russian DDoS crime gang Europol says it disrupted a major pro-Russian DDoS crime gang

Request data export

Use this form to request a copy of your data on this website.

Request data removal

Use this form to request removal of your data from this website.

Request data rectification

Use this form to request the rectification of your data on this website. Here you can correct or update your data, for example.

Request unsubscribe

Use this form to request to unsubscribe your email from our email lists.