Npm team warns of new 'binary planting' bug

Npm bug lets booby-trapped npm (JavaScript) packages plant or alter binaries on the victim's system.
Written by Catalin Cimpanu, Contributor
Image: npm

The team behind npm, the biggest package manager for JavaScript libraries, has issued a security alert yesterday, advising all users to update to the latest version (6.13.4) to prevent "binary planting" attacks.

Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug -- a combination between a file traversal and an arbitrary file (over)write issue.

The bug can be exploited by attackers to plant malicious binaries or overwrite files on a user's computer.

The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI.

"However, as we have seen in the past, this is not an insurmountable barrier," said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository.

No signs of attacks

Npm devs say they've been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases.

"That does not guarantee that it hasn't been used, but it does mean that it isn't currently being used in published packages on the [official npm] registry," npm devs said.

"We will continue monitoring," they added. "However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible."

Besides npm, yarn, another package manager for JavaScript, is also affected. The bug was fixed in yarn with the release of yarn 1.21.1, earlier this week.

The npm and yarn teams credited German security researcher Daniel Ruf with discovering this vulnerability. An in-depth technical report is available on Ruf's blog.

Npm's importance in the JS ecosystem

However, the issue impacts npm users more than yarn. Npm is not only the biggest package management application for JavaScript, but it's also the biggest package repository for any programming language, with more than 350,000 libraries.

JavaScript runs everywhere these days, from browsers to financial apps, and from desktops to servers. Because npm has such a central role in the JavaScript ecosystem, it has often been abused.

Hackers upload boobytrapped libraries on npm in the hopes legitimate projects will use them. They also hijack npm accounts of known developers and then plant malicious code inside popular libraries. The end goal is to launch attacks or plant backdoors inside apps built with the boobytrapped npm packages, which they can later use to steal data from those apps' users.

There have been many such cases in the past. In July 2018, a hacker compromised the ESLint library with malicious code that was designed to steal the npm credentials of other developers.

In May 2018, a hacker tried to hide a backdoor in another popular npm package named getcookies.

In August 2017, the npm team removed 38 JavaScript npm packages that were caught stealing environment variables from other projects, in an attempt to collect project-sensitive information, such as passwords or API keys.

Cryptocurrency users are often targets

But while these past attacks targeted developers, recent attempts to backdoor npm packages have been aimed at cryptocurrency users. This is because JavaScript -- and inherently npm -- are used to build and power many of today's web, mobile, and desktop-based cryptocurrency wallet apps.

Attackers often backdoor npm libraries or create boobytrapped clones, to plant their code inside wallets, and then steal user funds.

For example, in June this year, the npm found malicious code inside an npm package that was designed to steal cryptocurrency wallet seeds and other login passphrases specific to cryptocurrency apps. The library was used by a cryptocurrency startup that chose to hack itself before hackers could exploit the bug for themselves.

Another similar attack happened in November 2018 when hackers backdoored a npm package used by the Copay desktop and mobile wallet apps so they could steal bitcoins from its users.

The vulnerability patched today is dangerous enough to enable such attacks on developers of cryptocurrency wallets, and their respective users.

What's in a name? These DevOps tools come with strange backstories

Editorial standards