Malicious npm Packages Caught Installing Remote Access Trojans

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. From a report: The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications. Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis. According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries. The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

How many times will this happen?

[Entrope]

I get that npm wants to be accessible and easy to add code to, but they have just way too many of these incidents to excuse. Either make this kind of screening much more reliable, and mandatory before any new module shows up in search results, or require uploaders to verify their identity before accepting uploads. Not every country has something like Section 230 that lets people avoid responsibility for malicious content that they disseminate.

Re:How many times will this happen?

[Dracos]

At the same pace until Javascript and its community matures. Or better yet, gets replaced.

NPM is one part package manager (for very broad/vague definitions of "package"), one part code snippet landfill, and one part language prosthetic, all because JS needs it to be. All the JS infrastructure was developed haphazardly by inexperienced developers with a "clean room" mentality who insist on solving all related problems anew to prove JS is on par with better languages. As with every other language, every bit of infrastructure is a reflection of the language and its community.

Re:

[mark-t]

The problem isn't with javascript, it's with the mentality that surrounds the usage of npm.

Javascript does not require npm to be useful.

Re:

[TFlan91]

As demonstrated by Deno and browsers, sure.

Node.js does, for the most part, require npm. Node.js/npm won't be going away anytime soon.

Re:

[AlanObject]

Javascript does not require npm to be useful.

Just try developing an Angular application without it.

It can be done -- but why.

Re:

[mark-t]

javascript does not require Angular to be useful either.

Re:

[ffkom]

You are right in a way, but the problem is that this immature habit of blindly downloading even the tiniest of code snippets from unverified sources on the Internet is just reflecting the "now industry standard" of organized irresponsibility. So these haphazard JavaScriptKiddies are very much compatible with the mantra of the C-level to outsource everything, preferably for free, if only to be able to blame all failures on some unknown outside entity.

Re:

[DontBeAMoran]

The first time, it's a KLUDGE! The second, a trick. Later, it's a well-established technique! -- Mike Broido, Intermetrics

post-install

[fulldecent]

And maybe one day we will have a package manager that can install files for you with only having access to save files, not run arbitrary commands on your shell.

Re:

[darkain]

For the sake of argument, let's say this happens. Then what? The code will then be executed on first-run instead. This effectively only slightly delays the security boundary by a few moments.

Re:

[fulldecent]

Well, of course, the packages you are installing would be run in some kind of isolated virtual machine.

Re:

[Actually, I do RTFA]

I mean, the problem is the packages are designed to execute arbitrary code libraries. Installing isn't the issue, right, it's what the code they install does.

Re:

[Entrope]

This is a big consideration in the module system for Go. For example, you can include C code that is linked with a Go module or executable, and you can control the compilation with comments like this:

// #cgo CFLAGS: -DRUSTY_NAIL=1

But only whitelisted compiler and linker flags are accepted through that mechanism, to prevent any arbitrary code from running during the build step. Similarly, a //go:generate comment can indicate how to generate source files -- but those commands are never run automatically;

patch.exe?

[daniel23]

From the sound of it it appears that once again my OS of choice won't be supported. And not even WINE installed.

Re:

[ZiggyZiggyZig]

well if you want to run the Linux version of the trojan you need to compile it yourself first, of course.

Meh

[TFlan91]

Meh, npm has inflated/inaccurate download numbers at best.

Of those 100 downloads, I imagine 99 of them were npm mirrors, not true users.

Re: Meh

[NagrothAgain]

And the 1 user download was the original uploader checking to make sure everything worked.

And this is why

[mattr]

Every time Visual Studio asks me to install npm I think "that would be nice" and then remember the last news story like this one and don't. Yes it would be nice but I always find a way to do without.

I'm not an expert in Javascript

[iampiti]

...but there has to be already a million libraries (or one or a few well-known ones) on Javascript to deal with JSON. Why would you use these ones? I mean, who would install that and why?

And the author was ...

[Toad-san]

Hmm? And has he been shot?