It’s common that malicious actors often use public repositories to dump their malwares, hoping that some would pick it up to use them in some way. While the Pastebin and GitHub platforms are already carrying this tag, the largest package manager library for any programming language, npm is one of them too.
The security team has warned developers who have imported any of these packages should consider their systems were compromised. Thus, “All secrets and keys stored on that computer should be rotated immediately from a different computer.” read their advisory.
Shells in here are like the backdoors of a computer, which are the main targets for any hackers for exploitation. These can give them remote access to inject any malicious code like trojans or ransomware malwares to encrypt their systems and steal sensitive data. The team said these shells work on not just Windows, but also on Linux, FreeBSD, OpenBSD etc.
All three were living in the npm repository for almost a year and were downloaded by developers more than 100 times since October 2019. These were removed, just as the earlier findings of one library called fallguys that’s found to be stealing sensitive files from users browsers