August 7, 2017 By Mark Samuels 2 min read

JavaScript package management specialist npm Inc. removed almost 40 malicious libraries that were attempting to steal developer credentials.

Recent investigations by npm — the Node.js management registry — revealed that a threat actor known as HackTask had uploaded 38 JavaScript packages to the npm repository. The attack attempted to steal environmental variables and could have had serious consequences since this kind of developer information includes passwords and tokens for software and services.

After being alerted to the threat by a user on Twitter, npm worked quickly to track down and remove the infected packages. HackTask has since been banned from using the npm repository, but developers should note the risk associated with similar infections and tactics.

Targeting JavaScript Packages

The attacker used typosquatting to register packages that had names similar to popular libraries on the npm registry. According to npm’s blog, while errant package naming is often accidental, the typosquatting was intentional and malicious in this case.

Twitter user Oscar Bolmsten alerted npm to the attacking technique. The Swedish developer noted the anomaly in the crossenv package, which bears a name similar to the npm cross-env script used to set environmental variables across platforms.

Another registered package was called mongose, which included both the genuine Mongoose project and additional malevolent code, reported Bleeping Computer. The npm blog post explained that the attackers wanted to use the malicious code to hoard knowledge from deceived users.

The Scale of the Attack

The security team at npm immediately investigated the threat, tracked other errant libraries and removed 38 packages. All of HackTask’s malicious activities, which were available from July 19 to 31, have now been removed from the registry.

The largest danger came from the crossenv package. Researchers at npm reported that this package was downloaded almost 700 times during the two-week period. However, the firm also estimated that there were just 50 real installations of crossenv, and possibly fewer.

While the malicious activity has now stopped, the incident represents a real threat to developers. The errant files would have run a script named package-setup.js, according to The Register. The malicious code would have been implemented when developers ran their projects. It would have then gathered environment variables of developers and sent them to the attacker’s server at npm.hacktask.net, the Bleeping Computer article noted.

Long-Term Risks to Developers

Attackers target environmental variables because they are regularly used to offer credentials to software, npm CTO CJ Silverio told The Register. These environmental variables are used to store sensitive data points, including account names, passwords, tokens and keys for access to other applications and services. Silverio added that she is unaware of any developers suffering account compromises due to the attack.

The npm security team said it was working to resolve the current problem and related concerns. This includes a range of programmatic techniques and other approaches to detect packages with similar names, as well as improving controls to enhance overall security. According to another Bleeping Computer piece, the npm security team forced users to reset their passwords in June 2017 after discovering that 13 percent of its packages relied on frail credentials.

The company provided a list of affected packages in its blog post. Developers who might have used any of these infected packages should change their passwords immediately.

More from

Cybersecurity risks in healthcare are an ongoing crisis

4 min read - While healthcare providers have been implementing technical, administrative and physical safeguards related to patient information, they have not been as diligent in securing their medical devices. These devices are critical to patient care and can leave hospitals at risk for cyberattacks, causing major disruptions to patient care. In fact, 88 million individuals were affected by large breaches, compromising vast amounts of electronic protected health information (ePHI) last year according to the U.S. Department of Health & Human Services. This year,…

CVE backlog update: The NVD struggles as attackers change tactics

4 min read - In February, the number of vulnerabilities processed and enriched by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) started to slow. By May, 93.4% of new vulnerabilities and 50.8% of known exploited vulnerabilities were still waiting on analysis, according to research from VulnCheck.Three months later, the problem persists. While NIST has a plan to get back on track, the current state of common vulnerabilities and exposures (CVEs) isn't keeping pace with new vulnerability detections. Here's a…

The rising threat of cyberattacks in the restaurant industry

2 min read - The restaurant industry has been hit with a rising number of cyberattacks in the last two years, with major fast-food chains as the primary targets. Here’s a summary of the kinds of attacks to strike this industry and what happened afterward. Data breaches have been a significant issue, with several large restaurant chains experiencing incidents that compromised the sensitive information of both employees and customers. In one notable case, a breach affected 183,000 people, exposing names, Social Security numbers, driver's…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today