A
malicious JavaScript package was uploaded Dec. 30 2019 on the Node Package
Manager (npm), the world’s largest software registry, containing over 800,000
code packages that developers use to write JavaScript applications.
The
package, identified as 1337qq-js, was
spotted stealing sensitive data through install scrips of Unix Systems. It
marks the sixth-known incident to strike the npm repository in the past three
years.
According
to the analysis by the npm team, only Unix Systems are targeted, and the data
it collects includes running processes, environment variables, uname
–a, npmrc file and /etc/hosts.
So
how can this malicious package affect its users? Well, some sensitive
information such as hard-coded passwords and API access tokens are sometimes
stored as environment variables in JavaScript web or mobile apps.
In recent
years, similar security breaches have made it on the npm repository index. Most
notably, in April 2017, npm was hit with the upload of 38 malicious libraries configured to steal environment details from projects
that used them.
Luckily,
the malicious package was successfully removed from the npm website after a
two-week shelf life.
The
npm repository for 1337qq-js now
reads: “This package name is not currently in use, but was formerly occupied by
another package. To avoid malicious use, npm is hanging on to the package name,
but loosely, and we’ll probably give it to you if you want it.”
As
a security measure, developers who downloaded or used the malicious JavaScript
package are urged to remove it from their systems and reset any compromised
passwords or credentials.