Npm Removes Data Theft Code
Popular JavaScript developer tool removes malicious package that tried to steal data, in latest attack on software supply chain
The developers of the Node.js package manager npm have removed malicious code that attempted to steal data from developers’ systems.
The “fallguys” package contained malicious code that attempted to read sensitive files on a user’s system, npm said in a security advisory.
The malware was designed to send the data it collected to the Discord communications platform via a webhook, npm said.
The malicious code attempted to access five paths on Windows systems, four of which are used to store data for the Chrome, Opera, Yandex and Brave browsers.
Data theft
The fifth path is used for data storage by the Discord application.
Npm advised developers to remove the package from their systems and to ensure any security credentials that may have been compromised are changed.
The “fallguys” name is apparently a reference to the game Fall Guys: Ultimate Knockout.
The malicious package was available on the npm portal for two weeks, during which time it was downloaded nearly 300 times, according to npm’s telemetry.
The incident underscores how the complexity of modern software development can leave software projects vulnerable to the insertion of malicious code.
Npm is a JavaScript package manager, and is widely used to include external libraries from the Node.js runtime in any software.
It is developed by npm, a subsidiary of GitHub, which is in turn owned by Microsoft.
Stolen funds
Hackers have been caught in the past attempting to insert malicious code into npm, notably at the beginning of this year, when attackers added the malicious package 1337qq-js to npm, uploading it on 31 December.
The package targeted Unix systems, from which attempted to steal information via install scripts. It was removed after being reported by Microsoft’s Vulnerability Research team on 13 January.
In June of last year, npm said it foiled an attempt to compromise the Agama cryptocurrency wallet via a malicious npm package.
“The attack was carried out by using a pattern that is becoming more and more popular; publishing a ‘useful’ package… to npm, waiting until it was in use by the target, and then updating it to include a malicious payload,” npm said at the time.
Stealth hacking
Npm said its internal security tools alerted it to the threat, after which it contacted Komodo, the cryptocurrency platform that had acquired Agama’s developer, and removed the malicious package from its systems.
Even so, Komodo said attackers had succeeded in gaining control of about 1 million KMD, currently the equivalent of about £580,000.
Komodo said a hacker had spent “several months” making useful contributions to the Agama repository on GitHub before inserting the malicious code.
“Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using,” Komodo said at the time.
In 2018 hackers targeted a popular JavaScript library called event-stream, also via npm, in an effort to steal funds from cryptocurrency wallets.