According to the library’s author, “I believe someone was hijacking my npm account and published some compromised packages which will probably install malware.” Hours after discovering the hack, Salman pulled the compromised versions and replaced them with patched ones.
At the time of writing, the library has had 7,899,915 weekly downloads and is used by some of the biggest Silicon Valley giants.
In the News: Android apps come to Windows 11
Big download numbers equals big threat potential
Further analysis of the malicious code revealed extra scripts that can download and execute binaries from a remote server. These binaries were provided for both Windows and Linux. According to a Github user named KalleOlaviNeimitalo, version 0.7.29 included these scripts. From the command-line arguments, it looks like one of them is a crypto miner, but there’s a good chance that it might just be for camouflage.
Furthermore, these scripts can also download and install a trojan that can export browser cookies, passwords, and OS credentials on Windows systems. This is an infostealer trojan that’s possibly a version of the Danabot malware found by another Github user.
Since the library is used by several big corporations, including Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, Reddit, and many independent developers in general, even CISA has released a notification regarding the vulnerability. The Github Advisory Database has also documented the malware and assigned it the CWE-506 ID.
As of right now, the compromised versions are 0.7.29, 0.8.0 and 1.0.0, which have been replaced with the following patched versions — 0.7.30, 0.8.1, 1.0.1.
In the News: Twitter Spaces is now available to everyone