Once again, the npm security team has caught a bunch of malicious npm packages on the portal. These npm packages opened shells on target Windows and Linux devices.
npm Packages Opened Shells On Windows, Linux
The security team at npm has published back-to-back advisories about multiple malicious npm packages. Specifically, three of these opened shells on the target Windows and Linux systems after download.
These packages include,
According to npm, all versions of these packages contained malicious codes. In turn, the packages compromised complete systems opening shells on it to a remote server. npm has warned that any system running any versions of these packages should be considered fully compromised.
Besides, npm also removed one more malicious package from the portal, npmpubman. This package contained codes
According to the package details, all these packages existed on the portal for about a year with many downloads.
Malicious Packages Now Removed, But…
Upon detecting the malicious packages, team npm removed them from the portal whilst placing the following description on their pages.
This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
However, the threat continues to persist for any systems that are still running any of these packages.
Therefore, users must ensure checking their systems and removing the malicious package(s).
All secrets and keys stored on that computer should be rotated immediately from a different computer.
Although, they have warned that complete removal of the packages may not warrant remediation.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Whereas, for npmpubman victims, npm advises removal of the package and rotating compromised credentials as a remedy.