August 7, 2017 By Mark Samuels 2 min read

JavaScript package management specialist npm Inc. removed almost 40 malicious libraries that were attempting to steal developer credentials.

Recent investigations by npm — the Node.js management registry — revealed that a threat actor known as HackTask had uploaded 38 JavaScript packages to the npm repository. The attack attempted to steal environmental variables and could have had serious consequences since this kind of developer information includes passwords and tokens for software and services.

After being alerted to the threat by a user on Twitter, npm worked quickly to track down and remove the infected packages. HackTask has since been banned from using the npm repository, but developers should note the risk associated with similar infections and tactics.

Targeting JavaScript Packages

The attacker used typosquatting to register packages that had names similar to popular libraries on the npm registry. According to npm’s blog, while errant package naming is often accidental, the typosquatting was intentional and malicious in this case.

Twitter user Oscar Bolmsten alerted npm to the attacking technique. The Swedish developer noted the anomaly in the crossenv package, which bears a name similar to the npm cross-env script used to set environmental variables across platforms.

Another registered package was called mongose, which included both the genuine Mongoose project and additional malevolent code, reported Bleeping Computer. The npm blog post explained that the attackers wanted to use the malicious code to hoard knowledge from deceived users.

The Scale of the Attack

The security team at npm immediately investigated the threat, tracked other errant libraries and removed 38 packages. All of HackTask’s malicious activities, which were available from July 19 to 31, have now been removed from the registry.

The largest danger came from the crossenv package. Researchers at npm reported that this package was downloaded almost 700 times during the two-week period. However, the firm also estimated that there were just 50 real installations of crossenv, and possibly fewer.

While the malicious activity has now stopped, the incident represents a real threat to developers. The errant files would have run a script named package-setup.js, according to The Register. The malicious code would have been implemented when developers ran their projects. It would have then gathered environment variables of developers and sent them to the attacker’s server at npm.hacktask.net, the Bleeping Computer article noted.

Long-Term Risks to Developers

Attackers target environmental variables because they are regularly used to offer credentials to software, npm CTO CJ Silverio told The Register. These environmental variables are used to store sensitive data points, including account names, passwords, tokens and keys for access to other applications and services. Silverio added that she is unaware of any developers suffering account compromises due to the attack.

The npm security team said it was working to resolve the current problem and related concerns. This includes a range of programmatic techniques and other approaches to detect packages with similar names, as well as improving controls to enhance overall security. According to another Bleeping Computer piece, the npm security team forced users to reset their passwords in June 2017 after discovering that 13 percent of its packages relied on frail credentials.

The company provided a list of affected packages in its blog post. Developers who might have used any of these infected packages should change their passwords immediately.

More from

How to calculate your AI-powered cybersecurity’s ROI

4 min read - Imagine this scenario: A sophisticated, malicious phishing campaign targets a large financial institution. The attackers use emails generated by artificial intelligence (AI) that closely mimic the company's internal communications. The emails contain malicious links designed to steal employee credentials, which the attackers could use to gain access to company assets and data for unknown purposes.The organization's AI-powered cybersecurity solution, which continuously monitors network traffic and user behavior, detects several anomalies associated with the attack, blocks access to the suspicious domains…

Being a good CLR host – Modernizing offensive .NET tradecraft

14 min read - The modern red team is defined by its ability to compromise endpoints and take actions to complete objectives. To achieve the former, many teams implement their own custom command-and-control (C2) or use an open-source option. For the latter, there is a constant stream of post-exploitation tooling being released that takes advantage of various features in Windows, Active Directory and third-party applications. The execution mechanism for this tooling has, for the last several years, relied heavily on executing .NET assemblies in…

The current state of ransomware: Weaponizing disclosure rules and more

4 min read - As we near the end of 2024, ransomware remains a dominant and evolving threat against any organization. Cyber criminals are more sophisticated and creative than ever. They integrate new technologies, leverage geopolitical tensions and even use legal regulations to their advantage.What once seemed like a disruptive but relatively straightforward crime has evolved into a multi-layered, global challenge that continues to threaten businesses and governments alike.Let’s take a look at the state of ransomware today. We’ll focus on how cyber criminals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today