Over 1,000 Malicious JavaScript Packages Found in Popular Repository
Popular JavaScript package repository NPM announced it had cleaned up around 1,300 malicious packages found in its archives. NPM is a resource repository that allows users to search for JavaScript packages that suit their needs and keep their application dependencies up to date.
Malware Hiding in JS Packages
Research conducted by security firm WhiteSource showed that the number of malicious packages distributed and downloaded through NPM has grown significantly over the past few months. The presence of malicious code in an application could mean that the application can be used as a vehicle for data theft or serving malware.
The statistical dissection of the detected malicious packages shows that a small part of them, around 14 percent, was used for data theft and stealing credentials, while the majority of the malicious packages, around 86 percent, were used for passive reconnaissance and data collection. The data obtained in this way could be used to support the launch of full-scale later attacks on a potential targeted entity.
Bad Actors Looking to Execute Supply-Chain Attacks
The reason why the presence of over a thousand malicious packages is an issue is that NPM is a hugely popular repository. NPM serves 20 billion package downloads each week and this staggering number of packages are then being installed in web services all over the world.
Some of the malicious packages discovered by WhiteSource include:
- H98dx, a remote shell
- Azure-web-pubsub-express, a data collection module
- mos-sass-loader and css-resources-loader, giving RCE capabilities
Even though NPM did go through its database and took down the malicious packages, there is no telling how long they have been available and how many people have downloaded them and potentially dropped them in their applications. Attempting to abuse a platform as large and as popular as NPM allows threat actors to pull off supply-chain attacks that use a powerful upstream entity.