npm Pulls Malicious Package that Stole Login Passwords

Malicious Software

A malicious package was removed from the npm repository after the login information was found on the computers on which it was installed.

The npm repository is a common internet database for open source packages, which are often used in Node.js applications as dependencies.

Critical seriousness

Earlier today, npm pulled the’ bb-builder’ package from the repository and marked it as malicious and critical.

The advisory warns that computers that had this package installed or running should be considered “fully compromised” because it deployed an executable for Windows operating system that sent sensitive information to a remote server.

“All secrets and keys stored on that computer should be rotated immediately from a different computer,” npn advises.

Tomislav Pericin, co-founderand chief software architect at ReversingLabs, a firm providing automated static analysis and file reputation services, alerted npm to the package.

The researcher told that he found the wrong package for dangerous entries after scanning the complete NPM repository-about 9 million packages that translate into 35 TB of decompressed data.

Not long ago, ReversingLabs conducted a comparable test for Python packages on PyPI repository, discovered the “libpeshnx” library containing a malicious backdoor feature.

Action beyond the removal of packages is essential

Pericin told us that’ bb-builder’ was added to npm after compromising the credentials of the account owner. It remained unknown for a year.

The package was deliberately confused with other packages that developers use more often.

However, bb-builder was not a common option, as there are few weekly downloads in installation stats. It was 19-25 June when the amount of downloads peaked at 78.

Npm recommends that developers remove this package, but warns that this may not be enough to make sure that the system is clean.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.” – npm

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.