Geeks for your information News Privacy & Security News v
NPM Package Steals Passwords via Chrome’s Account-Recovery Tool
NPM Package Steals Passwords via Chrome’s Account-Recovery Tool
silversurfer Offline
Staff Member
******
Posts: 3,885
Threads: 3,283
Thanks Received: 5,064 in 3,838 posts
Thanks Given: 6,200
Joined: 12 September 18
#1
Information  22 July 21, 12:25
Quote:A credentials-stealing code bomb that uses legitimate password-recovery tools in Google’s Chrome web browser was found lurking in the npm open-source code repository, waiting to be planted within the sprawling galaxy of apps that pull code from that source.
 
Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker’s command-and-control (C2) server and can upload files, record from a victim’s screen and camera, and execute shell commands.
 
npm (originally short for Node Package Manager, or NPM) is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome’s V8 JavaScript engine. It’s similar to other code repositories such as GitHub, RubyGems and PyPI in that it’s part of a (very long) software supply chain.
 
“Vast” would be an understatement to describe the ecosystem: npm hosts more than 1.5 million unique packages, and serves up more than 1 billion requests for JavaScript packages per day, to around 11 million developers worldwide.
 
Besides textual JavaScript files, npm also holds various types of executables, such as PE, ELF and Mach-O. ReversingLabs researchers, who published their findings in a Wednesday post, said that during an analysis of the code repository, they found an interesting embedded Windows executable file: a credential-stealing threat. Labeled “Win32.Infostealer.Heuristics”, it showed up in two packages: nodejs_net_server and temptesttempfile.
 
At least for now, the first, main threat is nodejs_net_server. Some details:
  • nodejs_net_server: A package with 12 published versions and a total of more than 1,300 downloads since it was first published in February 2019. It was last updated six months ago and was authored by somebody using the name “chrunlee”. According to ReversingLabs, chrunlee also seems to be an active developer on GitHub, where the developer is working on 61 repositories.

Read more: NPM Package Steals Chrome Passwords | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Find
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
AMD DGF SuperCompression cuts geometry s...
AMD’s DGF SuperCom...harlan4096 — 07:21
uBOLite 2026.510.1607 (already available...
uBOLite 2026.510.1...harlan4096 — 07:19
Chrome for Android Adds Approximate Loca...
Google is introduc...harlan4096 — 07:18
AdGuard Browser Extension 5.4.2.0
AdGuard Browser Ex...harlan4096 — 11:45
Cracked in under a minute: (nearly) ever...
We’ve revisited ou...harlan4096 — 11:44

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
avatar (28)akiratoriyama
avatar (48)Jerrycix
avatar (40)awedoli
avatar (82)WinRARHowTo
avatar (38)owysykan
avatar (49)beautgok
avatar (39)axuben
avatar (40)ihijudu
avatar (45)tiojusop
avatar (42)Damiennug
avatar (40)acoraxe
avatar (49)contjrat
avatar (41)axylisyb
avatar (44)tukrublape
avatar (44)knigiJow
avatar (46)1stOnecal
avatar (50)Mirzojap
avatar (36)idilysaju
avatar (40)GregoryRog
avatar (45)mediumog
avatar (40)odukoromu
avatar (46)Joanna4589

[-]
Online Staff
There are no staff members currently online.

>