Malicious npm package opens backdoors on programmers' computers

JavaScript library posing as a Twilio-related library opens backdoors to let attackers access infected workstations.
Written by Catalin Cimpanu, Contributor
Image: npm, Armand Khoury, ZDNet

The npm security team has removed today a malicious JavaScript library from the npm website that contained malicious code for opening backdoors on programmers' computers.

The JavaScript library was named "twilio-npm," and its malicious behavior was discovered over the weekend by Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.

In a report published today, Sonatype said the library was first published on the npm website on Friday, was discovered on the same day, and removed today after the npm security team blacklisted the package.

Despite a short lifespan on the npm portal, the library was downloaded more than 370 times and automatically included in JavaScript projects built and managed via the npm (Node Package Manager) command-line utility.

Ax Sharma, the Sonatype security researcher who discovered and analyzed the library, said the malicious code found in the fake Twilio library opened a TCP reverse shell on all computers where the library was downloaded and imported inside JavaScript/npm/Node.js projects.

The reverse shell opened a connection to "4.tcp.ngrok[.]io:11425" from where it waited to receive new commands to run on the infected users' computers.

Sharma said the reverse shell only worked on UNIX-based operating systems.

Developers asked to change credentials, secrets, keys

"Any computer that has this package installed or running should be considered fully compromised," the npm security team said today, confirming Sonatype's investigation.

"All secrets and keys stored on that computer should be rotated immediately from a different computer," the npm team added.

This marks the fourth major takedown of a malicious npm package over the past three months.

In late August, the npm staff removed a malicious npm (JavaScript) library designed to steal sensitive files from an infected users' browser and Discord application.

In September, npm staff removed four npm (JavaScript) libraries for collecting user details and uploading the stolen data to a public GitHub page.

In October, the npm team removed three npm (JavaScript) packages that were also caught opening reverse shells (backdoors) on developer computers. The three packages were also discovered by Sonatype. Unlike the one discovered over the weekend, these three also worked on Windows systems, and not just UNIX-like systems.

What's in a name? These DevOps tools come with strange backstories

Editorial standards