Malicious npm library removed from the repository due to backdoor capabilities

Pierluigi Paganini November 03, 2020

The npm security team has removed a malicious JavaScript library named “twilio-npm” from its repository because contained malicious code.

The npm security team has removed a malicious JavaScript library named “twilio-npm” from its repository because contained a code for establishing backdoors on the computers of the programmers. Npm is the largest package repository for any programming language.

The tainted JavaScript library was spotted by the researcher Ax Sharma from security firm Sonatype.

The fake Twilio library was recently uploaded on the npm repository and was downloaded more than 370 times and automatically imported in JavaScript projects managed via the npm (Node Package Manager) command-line utility.

The library contained a code to open a TCP reverse shell on UNIX-based machines where the library was downloaded and imported inside JavaScript/npm/Node.js projects.

The reverse shell opened a connection to “4.tcp.ngrok[.]io:11425” waiting for commands from the attacker.

“twilio-npm opened a reverse shell to a remote server as a postinstall script.” reads the alert published by the researcher.”

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

The presence of malicious npm packages in the official repository is becoming frequent. In October, NPM staff removed four JavaScript packages from the npm portal because were containing malicious code. Npm is the largest package repository for any programming language.

The four packages, which had a total of one thousand of downloads, are:

This marks the fourth major takedown of a malicious npm package over the past three months.

In late August, the npm staff removed a malicious npm (JavaScript) library designed to steal sensitive files from an infected users’ browser and Discord application.

In September, npm staff removed four npm (JavaScript) libraries for collecting user details and uploading the stolen data to a public GitHub page.

In October, the npm team removed three npm (JavaScript) packages that were also caught opening reverse shells (backdoors) on developer computers. The three packages were also discovered by Sonatype. Unlike the one discovered over the weekend, these three also worked on Windows systems, and not just UNIX-like systems.

In August, the npm security team has removed the JavaScript library “fallguys” from the npm portal because it was containing a malicious code used to steal sensitive files from an infected users’ browser and Discord application.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, npm library)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment