by John E Dunn
Criminals have been caught trying to sneak a malicious package on to the popular Node.js platform npm (Node Package Manager).
The problem package, 1337qq-js, was uploaded to npm on 31 December, after which it was downloaded at least 32 times according to figures from npm-stat.
According to a security advisory announcing its removal, the package’s suspicious behaviour was first noticed by Microsoft’s Vulnerability Research team, which reported it to npm on 13 January 2020:
The package exfiltrates sensitive information through install scripts. It targets UNIX systems.
The data it steals includes:
Any of these could lead to trouble, especially the theft of environment variables which can include API tokens and, in some cases, hardcoded passwords.
Anyone unlucky enough to have downloaded this will need to rotate those as a matter of urgency in addition to de-installing 1337qq-js itself.
What to do
The offending versions of the package are versions 1.0.11 to 1.0.9 inclusive.
The advice is to check for dependencies by generating a report using the npm audit command from the command line. This alerts admins to packages known to be malevolent as well as any other security issues that need addressing. In a perfect world, an audit will return this ..
Support the originator by clicking the read the rest link below.
