Geeks for your information News Privacy & Security News v
NPM Package Steals Passwords via Chrome’s Account-Recovery Tool
NPM Package Steals Passwords via Chrome’s Account-Recovery Tool
silversurfer Offline
Staff Member
******
Posts: 3,885
Threads: 3,283
Thanks Received: 5,064 in 3,838 posts
Thanks Given: 6,200
Joined: 12 September 18
#1
Information  22 July 21, 12:25
Quote:A credentials-stealing code bomb that uses legitimate password-recovery tools in Google’s Chrome web browser was found lurking in the npm open-source code repository, waiting to be planted within the sprawling galaxy of apps that pull code from that source.
 
Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker’s command-and-control (C2) server and can upload files, record from a victim’s screen and camera, and execute shell commands.
 
npm (originally short for Node Package Manager, or NPM) is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome’s V8 JavaScript engine. It’s similar to other code repositories such as GitHub, RubyGems and PyPI in that it’s part of a (very long) software supply chain.
 
“Vast” would be an understatement to describe the ecosystem: npm hosts more than 1.5 million unique packages, and serves up more than 1 billion requests for JavaScript packages per day, to around 11 million developers worldwide.
 
Besides textual JavaScript files, npm also holds various types of executables, such as PE, ELF and Mach-O. ReversingLabs researchers, who published their findings in a Wednesday post, said that during an analysis of the code repository, they found an interesting embedded Windows executable file: a credential-stealing threat. Labeled “Win32.Infostealer.Heuristics”, it showed up in two packages: nodejs_net_server and temptesttempfile.
 
At least for now, the first, main threat is nodejs_net_server. Some details:
  • nodejs_net_server: A package with 12 published versions and a total of more than 1,300 downloads since it was first published in February 2019. It was last updated six months ago and was authored by somebody using the name “chrunlee”. According to ReversingLabs, chrunlee also seems to be an active developer on GitHub, where the developer is working on 61 repositories.

Read more: NPM Package Steals Chrome Passwords | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Find
Reply


Messages In This Thread
NPM Package Steals Passwords via Chrome’s Account-Recovery Tool - by silversurfer - 22 July 21, 12:25

Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:

[-]
Recent Posts
Linux 7.0 merges AMDGPU update for decad...
All thanks to Valv...harlan4096 — 17:55
AdGuard for iOS v4.5.16
AdGuard for iOS v4...harlan4096 — 07:24
QOwnNotes
26.2.9  Fixed a v...Kool — 05:38
AdGuard for Android 4.12.3
AdGuard for Androi...harlan4096 — 17:18
Replit Pro – One Month Free
Replit Pro     C...hanso — 17:02

[-]
Birthdays
Today's Birthdays
avatar (46)dimaWeami
Upcoming Birthdays
avatar (44)Baihu

[-]
Online Staff
There are no staff members currently online.

>