On August 1, npm Inc. — the company that runs the biggest JavaScript package repository — removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects.
According to a subsequent investigation by npm's team, on July 19, a person named HackTask uploaded 38 JavaScript libraries on the npm repository.
Attacker typo-squatted on famous project names
The attacker used a technique called "typo-squatting" to register packages with names similar to popular libraries, but containing typos in their names. For example, the attacker registered a malicious package named "mongose" that contained the source of the legitimate Mongoose project plus extra malicious code.
The malicious code in this projects would execute when developers would compile and run their personal JavaScript projects. The code would collect local environment variables and upload them to the attacker's server located at: npm.hacktask.net.
The attack is dangerous because some information such as hard-coded passwords or API access tokens is stored as environment variables.
Issue discovered by Swedish developer
The issue first came to light when Swedish developer Oscar Bolmsten ran across the cross-env npm package.
@kentcdodds Hi Kent, it looks like this npm package is stealing env variables on install, using your cross-env package as bait: pic.twitter.com/REsRG8Exsx
— Oscar Bolmsten (@o_cee) August 1, 2017
The developer reported the issue to the npm security team who eventually tracked down the rest of the affected packages and banned HackTask's npm account. Below is the full list of malicious npm packages — with their respective download counts:
babelcli: 42
cross-env.js: 43
crossenv: 679
d3.js: 72
fabric-js: 46
ffmepg: 44
gruntcli: 67
http-proxy.js: 41
jquery.js: 136
mariadb: 92
mongose: 196
mssql-node: 46
mssql.js: 48
mysqljs: 77
node-fabric: 87
node-opencv: 94
node-opensl: 40
node-openssl: 29
node-sqlite: 61
node-tkinter: 39
nodecaffe: 40
nodefabric: 44
nodeffmpeg: 39
nodemailer-js: 40
nodemailer.js: 39
nodemssql: 44
noderequest: 40
nodesass: 66
nodesqlite: 45
opencv.js: 40
openssl.js: 43
proxy.js: 43
shadowsock: 40
smb: 40
sqlite.js: 48
sqliter: 45
sqlserver: 50
tkinter: 45
Developers who used any of these packages within their projects are advised to change any passwords or access tokens they stored in their configurations.
Typo-squatting attacks are also common on Google's Chrome Web Store and Android Play Store, where malicious actors often copy popular Chrome extensions or Android apps, add malicious code, and re-upload the content on the official store with names similar to the originals.
In June 2017, the npm security team forced password resets for a large number of users after a researcher discovered that 13% of all npm packages used weak credentials.
In March 2017, a team of six researchers from the College of Computer and Information Science at Northeastern University discovered that over a third of today's most popular websites use outdated JavaScript libraries that are subject to known and old vulnerabilities.
Image credits: npm, Inc., Bleeping Computer
Comments
rhasce - 6 years ago
Ok this is bull Google is so god dam double standard, they blocked my personal google account after like 10 years of working with them, they are so harsh to even considering approving any crap that I try to add and I do no malicious crap, and then we got all these malicious uploaders putting bad stuff on google store with no issues this is so bad I hate google.
Toxus - 6 years ago
I'm sorry if I'm missing something here, but how is this relevant to the article? Google doesn't control NPM or Node.js.