In the past several weeks, there has been a significant rise in NPM packages with embedded malware. Most recently, three popular packages, with a combined 28 million-plus downloads, were compromised, leading to serious concern over the ecosystem's security.

On November 4, NPM's security team announced some anomalous activity with the package coa, a command-line parser. The NPM team discovered a compromised developer account and several new versions of the package after three years of inactivity. Prior to NPM's announcement, embedded malware was first noticed after CI pipelines for certain React applications began failing. The updates were particularly strange given the project has been inactive for several years. Several GitHub users noted the weird behavior, which helped raise initial awareness of the issue.

In addition to coa, rc, a popular lean configuration library, and ua-parser, a user agent parser, were also found to contain malware. Similar to coa, these packages had malicious versions uploaded masquerading as legitimate updates but instead contained scripts to launch malware on a host's computer.

MORE: Application Security for Developers: SCA, DAST, and GitHub Actions

Malware in NPM Packages: How it Happened


All three packages had very similar malware embedded within them. In all cases, the malicious actors took advantage of the ecosystem's "preinstall" field. This field allows a package maintainer to run specific commands. In many cases, these commands will help compile files or otherwise aid in the package install. However, with a minor change, this field can easily house commands that act maliciously. This method of handling install has been criticized by many for being essentially `curl | bash,` a notoriously dangerous method of installing packages.

In the cases of coa, rc, and ua-parser, the releases were modified to install and run malware using the following line of code:

"preinstall": "start /B node compile.js & node compile.js"

This installed malware from the DanaBot family of trojans.

DanaBot malware targets financial information in an attempt to compromise a user's personal information. DanaBot is fairly robust and spreads easily through spam and rootkits, and is equipped to gather personal information off a computer. Specifically, it is capable of targeting financial information by scraping user credentials, taking screenshots, and capturing all the files on the machine. This information is then sent to a remote server via an encrypted form. It's also believed that DanaBot can allow for remote computer takeover, leading to serious security concerns. DanaBot usually shows as "sdd.dll" but was also seen as "Thin.dll" and "Dog.dll" in the cases of rc and coa, respectively.

Additional Security Concerns with NPM

While the malware is alarming and should be taken seriously, it's also important to acknowledge the initial attack vector of this entire ordeal. NPM has confirmed that malicious actors were able to compromise an account of one of the maintainers of these packages. Historically, NPM has had a weak security posture, only “strongly recommending” multi-factor authentication for developer accounts. This had led to many old accounts having weak passwords and no multi-factor authentication.

In addition, NPM does not scan packages for vulnerabilities or malware before a release is approved for general consumption. NPM still has chosen not to enforce multi-factor authentication for developer accounts, despite users calling for stricter security measures. Additional measures should likely also be taken, such as requiring GPG signing of packages and potentially scanning for anomalous behavior (like a new version being released after years of inactivity) to help reduce the influx of new malware.

It is worth noting that these three packages are far from the only ones that have been compromised. NPM has seen many packages fall victim to similar embedded malware attacks, ranging from DanaBot-like trojans to cryptominers like XMRig. NPM has also written about the malware issues it is facing, citing 'index.js', 'update.js', and 'package-setup.js' as the most common payload locations for malware. It would not be unreasonable to think that 'preinstall' will soon make that list, though NPM has also written about this particular issue in the past.

Moving Forward: Coa, Rc, and Ua-parser

All three packages that were affected by this malware have now been reviewed by NPM, and the malicious versions have been removed. However, it's important to check your projects and machines for potentially compromised versions. The versions that are affected are as follows:

Rc

  • = 1.2.9
  • = 1.3.9
  • = 2.3.9

Coa

  • = 2.0.3
  • = 2.0.4
  • = 2.1.1
  • = 2.1.3
  • = 3.0.1
  • = 3.1.3

Ua parser

  • = 0.7.29
  • = 0.8.0
  • = 1.0.0

Most vulnerability scanners should be equipped to detect these packages. For example, FOSSA’s vulnerability management solution will automatically rescan all your projects and alert you if any of these versions are found. Any computers that have these packages installed should be considered compromised and be handled accordingly.

If you are interested in the Malware hashes for each project, you can find them here:

Rc

Coa

Ua-parser