Threat Management, Malware, Network Security

npm removes malicious JavaScript packages that were caught stealing data

The developers of the JavaScript programming language package manager "npm" have disclosed that they recently removed approximately 40 fraudulent, malware-spiked packages that were designed to steal environment variables upon installation.

In a classic case of typosquatting intended to fool inattentive users, the fake packages featured names that were just slightly different than actual, genuine packages offered by npm. "The package naming was both deliberate and malicious – the intent was to collect useful data from tricked users," npm explained in a blog post.

According to npm, a user by the handle of "hacktask" published the malicious libraries on July 19, including two that mimicked the popular "cross-env,"  which between then were downloaded nearly 700 times before they were removed on Aug. 1. Fortunately, only about 50 of these downloads appear to be genuine installations from real users, while the rest came from  registry mirrors that automatically downloaded copies, npm explained.

It was a Swedish npm user who initially alerted npm to the problem, reporting via Twitter that a false cross-env package was engaged in suspicious activity.

"If you downloaded and installed any of these packages, you should immediately revoke and replace any credentials you might have had in your shell environment," npm advised.

In response to the incident, npm banned the user "hacktask." Additionally, npm said that its developers are discussing taking various approaches to detecting and preventing future instances of accidental or malicious typosquatting.

"There are programmatic ways to detect this, and we might use them to block publication," the npm blog post reads. "We're using the Smyte service [a trust and safety SaaS offering] to detect spam as it is published to the registry, and will be experimenting with using it to detect other kinds of violations of our terms of service."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.