In another vast software supply-chain attack, the password-stealer is filching credentials from Chrome on Windows systems.
A credentials-stealing code bomb that uses legitimate password-recovery tools in Google’s Chrome web browser was found lurking in the npm open-source code repository, waiting to be planted within the sprawling galaxy of apps that pull code from that source.
Researchers caught the malware filching credentials from Chrome on Windows systems. The password-stealer is multifunctional: It also listens for incoming commands from the attacker’s command-and-control (C2) server and can upload files, record from a victim’s screen and camera, and execute shell commands.
Abusing Google ChromePass Utility
- nodejs_net_server: A package with 12 published versions and a total of more than 1,283 downloads since it was first published in February 2019. It was last updated six months ago and was authored by somebody using the name “chrunlee,” who also seems to be an active developer on GitHub who’s working on 61 repositories, according to ReversingLabs.
- temptesttempfile: This one’s a bit of a head-scratcher, given that “homepage and GitHub repository links to this package lead to non-existing webpages,” the analysts observed. One of chrunlee’s npm packages – tempdownloadtempfile – also has non-existing links. One of its files – file/test.js – implements the same remote shell functionality as the ones found in versions of the nodejs_net_server package, but this package doesn’t perform execution hijacking, and it lacks a persistence mechanism, making its purpose “a bit unclear,” ReversingLabs said.
chrunlee buffed up the nodejs_net_server package through 12 versions until finally upgrading it last December with a script to download the password-stealer, which the developer hosts on a personal website. It was subsequently tweaked to run TeamViewer.exe instead, “probably because the author didn’t want to have such an obvious connection between the malware and their website,” researchers theorized.
Fun Developer F-Up
ReversingLabs analysts dug up a development “fun fact” when picking through nodejs_net_server code: Its author, chrunlee, not only authored a credential-stealer but also accidentally publishing their own, stored login credentials, cheek-to-jowl with the password grabber, opening chrunlee themselves to attack.
“It appears that the published versions 1.1.1 and 1.1.2 from the npm repository include the results of testing the ChromePass tool on the author’s personal computer,” researchers observed. “These login credentials were stored in the ‘a.txt’ file located in the same folder as the password-recovery tool, named ‘a.exe’.”
Another fun fact: That text file has 282 login credentials captured from chrunlee’s browser, some of which may still be valid (ReversingLabs didn’t verify them). And, some of those credentials feature the lamest of lame passwords (“111,” for example) and user names (“admin,” anyone?).
“Just looking at some of the recovered credentials…shows that the author didn’t always care about best password policy practices,” the analysts gracefully understated.
Bad Packages Haven’t Been Removed
ReversingLabs contacted the npm security team on July 2 to give them a heads-up about the nodejs_net_server and tempdownloadtempfile packages and circled back once again last week, on Thursday, since the team still hadn’t removed the packages from the repository. Threatpost reached out to npm Inc., which maintains the repository, and will update this story with any update or feedback.
If they aren’t taken down by the time this article posts, these are the packages and SH1 to look out for:
- nodejs_net_server-1.0.0: f79e03d904fafc5171392d2e54e10057780f9c25
- nodejs_net_server-1.0.1: 9027433ef11506f349e9d89ec83d8050e669e3fb
- nodejs_net_server-1.0.2: af2ec5a8e2a873e960f38d16e735dd9f52aa1e8b
- nodejs_net_server-1.0.3: 41b56bd5b7aaf6af3b9a35a9e47771708fddc172
- nodejs_net_server-1.0.4: 3128ebd6c3e89dc2b5a7ecf95967a81a4cdde335
- nodejs_net_server-1.0.5: eb9cfe52e304702f1cf0fb1cc11dfc3fb1b0eab7
- nodejs_net_server-1.0.6: 4b518b15db29eb9a0d8d11d1642f73e9da1275ca
- nodejs_net_server-1.0.7: afe203e2d2cb295955915ba04edb079ae7697c62
- nodejs_net_server-1.0.8: 6e9b1d8ce1bb49f0abc3bea62e0435912d35b458
- nodejs_net_server-1.1.0: 9bf160389b0401435a2e5f8541688c1d5f877896
- nodejs_net_server-1.1.1: 1be0fa1d44859e4c0bafc8317c1da1d4e897c1cc
- nodejs_net_server-1.1.2: 3cb0aeed9f260d38504677c834a5878b4eb59dc2
- tempdownloadtempfile-1.0.0: ffbefb79bd6b72a0e42bc04e03b9f63aa9e859e5
Earlier npm Hijacks
This isn’t the first time that npm has been infiltrated by poisonous code. Earlier this year, three malicious software packages were published to npm; any applications corrupted by the code could steal tokens and other information from Discord users, researchers said.
In July 2018, an attacker compromised the npm credentials of an ESLint maintainer and published malicious versions of the popular “eslint-scope” and “eslint-config-eslint” packages to the npm registry. The malicious code copied the npm credentials of the machine running eslint-scope and uploaded them to the attacker.
A few months later, in November 2018, another malicious package was discovered: it was a dependency to version 3.3.6 of the popular package, “event-stream.” The malicious package, called “flatmap-stream,” contained an encrypted payload that was tailored to steal Bitcoins from the Copay application.
Repositories Are Increasingly Popular Targets
It’s not just npm in cyberattacker crosshairs, mind you. Earlier this month, researchers stumbled on a group of cryptominers that infiltrated PyPI, aka the Python Package Index (PyPI), a repository of software code created in the Python programming language.
According to the report, the npm infiltration is just the latest example of how developers are putting too much trust in third-party code, reusing libraries to get fast, easy results and “rarely [making] in-depth security assessments before including them into their project.”
Granted, there’s a whole lot of code to suss out.
“This omission is a result of the overwhelming nature, and the vast quantity, of potential security issues found in third-party code,” according to ReversingLabs. “Hence in general, packages are quickly installed to validate whether they solve the problem and, if they don’t, move on to the alternative. This is a dangerous practice, and it can lead to incidental installation of malicious software.”
In the report’s conclusion, ReversingLabs noted that software supply-chain attacks are becoming “a powerful strategy” for malicious actors, with developers being targeted as a critical entry point to their organization and its client base.
“One of the most frequent attack vectors targeting developers is exploitation of public package repositories,” the report warned. “As these repositories have a large number of hosted packages, they offer a good hiding place for malware to lurk in. Repetitive discovery of malicious packages in these repositories has proven that there is a growing need for security solutions that can provide reliable identification and protection against these types of attacks.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Some parts of this article are sourced from: