Researchers from ReversingLabs have released a report detailing a threat referred to as NPM malware they found in NPM packages that targets credentials by means of the Google Chrome Recovery Tool.
How Does the NPM Malware Operate?
The NPM Malware file name is Win32.Infostealer.Heuristics, but it originally was named “a.exe” and could be found in the “lib” folder.
It works by listening to different commands threat actors send using their personal C2 server (command and control) and can also perform a series of malicious activities: it uses the victim’s camera to make recordings, it uploads and lookups files, executes shell commands, or lists the directory.
Where Can the NPM Malware Be Found?
As the report states, there are 2 NPM packages the malware locates in, the first place serving as the main threat discovered by researchers.
nodejs_net_server
This is the first place where the malware was identified.
Its main features are:
- This is a package that owns 12 published versions, updated 6 months ago by someone with the nickname “chrunlee”.
- The NPM malware is present in many versions of this package.
- It was first launched as a test, then updated with remote shell functionality, and then coming to its final version.
- The last upgrade “chrunlee” made to NPM malware on the nodejs_net_server is the last version and comes as a script that steals credentials on Windows systems using the ChromePass feature. The script is hosted on the threat actor’s website but hidden subsequently via running TeamViewer.exe to not make the connection with the hacker’s website so visible.
- Additionally, the threat actor can also monitor activity through a persistent backdoor that comes as a setup of the malware in the discussion.
Temptesttempfile
This is the second place where the malware can be found, but it is not such dangerous as the first one, as here the threat is not so well developed.
- It has non-existing links containing a file named file/test.js.
- It’s not that dangerous because it indeed runs the same shell functionality, but it cannot perform execution of the malware and it is also not that persistent.
What Is NPM?
NPM is a repository containing open-code sources. The acronym comes from Node Package Manager. Established on the Javascript engine of Chrome’s V8 stands basically for a default package manager the Node.js environment uses for Java. It’s similar to Github, a code repository that allows developers to share and borrow packages. Many applications pull code from this repository.
Who Is Behind the NPM Malware?
According to Threatpost, researchers found that behind the NPM malware infiltration should be a so-called “chrunlee” who made some updates to the threat until December 2020 when he released its final version that steals passwords from ChromPass freeware.
However, it seems that the threat actor made some mistakes and disregarded some flaws in the implementation of the NPM malware.
Fun fact related to versions that contain the password recovery tool is that the package author accidentally published their own, stored login credentials. It appears that the published versions 1.1.1 and 1.1.2 from the NPM repository include the results of testing the ChromePass tool on the author’s personal computer. These login credentials were stored in the “a.txt” file located in the same folder as the password recovery tool named “a.exe”.
What Let Hackers Implement NPM Malware? The Cause
Researchers agreed that developers rely too much on third-party codes, leading to the possibility of enabling such type of malware because they reuse libraries.
This omission is a result of the overwhelming nature, and the vast quantity, of potential security issues, found in third-party code,” according to ReversingLabs. “Hence in general, packages are quickly installed to validate whether they solve the problem and, if they don’t, move on to the alternative. This is a dangerous practice, and it can lead to the incidental installation of malicious software.
Mitigation Measures
After the discovery, NPM Security Team was contacted by the analysts from ReversingLabs. They took measures by removing both malicious packages mentioned above.