Once again, some malicious npm packages surfaced online to fool users. This time, the npm packages emerged to steal stored passwords from Chrome and other browsers.
npm Packages Steal Browser Passwords
Researchers from ReversingLabs found two malicious npm packages that steal browser passwords.
As elaborated in their blog post, the researchers found these packages by detecting threats via machine learning algorithms. These include the nodejs_net_server package and temptesttempfile package.
Specifically, the first of these had the malware Win32.Infostealer.Heuristics masked as “a.exe”. Analyzing this executable revealed that it actually was the ChromePass utility that could steal passwords from the Chrome browser. Explaining this utility, the post reads,
It isn’t malicious by itself, but it can be when put into the malicious use context. For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line.
According to the NPM repository, the latest version of nodejs_net_server, v1.1.2, appeared online roughly 6 months ago. It first got published in February 2019 and has since garnered roughly 1300 downloads with 12 different versions. The malicious functionality, that is, the exploitation of password recovery tool, started with version 1.1.0 that arrived in December 2020.
Likewise, the other package from the same author also appeared online in June 2019. However, it didn’t exhibit persistent mechanism and hijacking.
The researchers have shared the details of the malware execution in their post. Ironically, they found the author had inadvertently exposed its own passwords too within the package.
Malicious Packages Removed
Following this report, GitHub confirmed to have removed the malicious packages.
Nonetheless, those who have downloaded them already must remove them to be safe from potential risks. Also, users must change any passwords stored in Chrome browsers out of caution.