The npm security team has removed three malicious JavaScript packages from its repository since they were found to be opening shells on the installed computers. These are more like the backdoors, which if opened, can give remote access to hackers to install any malware and steal data. The npm team has suggested scrutinizing computers that may have installed these.
JavaScript Packages Opening Shells!
It’s common that malicious actors often use public repositories to dump their malwares, hoping that some would pick it up to use them in some way. While the Pastebin and GitHub platforms are already carrying this tag, the largest package manager library for any programming language, npm is one of them too.
While the npm Security team regularly scans for any possible malicious packages to remove them, new ones surface often. In this pursuit, the npm security has surfaced three JavaScript packages that are found to be opening shells in the computers in which they were installed. These are nodetest199, nodetest1010 and plutov-slack-client.
The security team has warned developers who have imported any of these packages should consider their systems were compromised. Thus, “All secrets and keys stored on that computer should be rotated immediately from a different computer.” read their advisory.
Shells in here are like the backdoors of a computer, which are the main targets for any hackers for exploitation. These can give them remote access to inject any malicious code like trojans or ransomware malwares to encrypt their systems and steal sensitive data. The team said these shells work on not just Windows, but also on Linux, FreeBSD, OpenBSD etc.
All three were living in the npm repository for almost a year and were downloaded by developers more than 100 times since October 2019. These were removed, just as the earlier findings of one library called fallguys that’s found to be stealing sensitive files from users browsers
