One more time, the threat actors infected the official npm repository with malicious packages. This time, two npm packages appeared online infecting users with njRAT malware.
npm Packages With njRAT Malware
Security firm Sonatype recently spotted two more malicious packages targeting users. As explained in their post, they noticed two npm packages, jdb.js and db-json.js, targeting users with njRAT malware.
Both the packages appeared on the npm repository recently and belonged to the same author. The packages apparently mimicked the legit libraries jdb and db-json respectively to trick users.
Whereas, following installation, these malicious packages didn’t serve the claimed purposes. Rather they installed remote access trojan (RAT) on the target machines. Specifically, they infected the users with njRAT or Bladabindi malware – a typical infostealer empowering a remote attacker to take control of the target systems.
Describing the behavior of the jdb.js package in an advisory, npm stated,
The package jdb.js contained malicious code. The package ran a postinstall script and contained a dropper for the njRAT/Bladabindi Remote Access Trojan.
Whereas, via another advisory, npm confirmed the same for db-json.js, only difference being that it had jdb.js as a dependency.
Malicious Packages Now Removed
Sonatype discovered the malicious packages in November 2020, after which, they alerted npm about the packages.
Consequently, npm removed both the packages from their repository.
However, these packages may continue to exist on users’ devices. Before removal, jdb.js and db-json.js appeared to have downloaded 116 and 132 times respectively.
Therefore, npm urges on removing the two packages immediately, in addition to rotating all secret keys from a different computer.
Though, npm still warns of compromise of the infected system.
The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.
Recently, the researchers also caught a malicious ‘twilio-npm’ that created a backdoor on the target systems. This package garnered 371 downloads before deletion from the npm repository.