It’s a good sign for the code registry which over the past few years has had to clean up several security snafus tied to its increasingly popular collection of libraries.
In January, NPM mistakenly removed a developer’s account due to a failure to review sanctions suggested by an automated anti-spam system. And in August last year, NPM missed a typosquatting attack that went on for two weeks.
This time, the process was a bit more surgical.
“Early May 2nd, the NPM security team received and responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor,” security engineer Adam Baldwin disclosed in a blog post. “The result of the investigation concluded with three packages and three versions of a fourth package being unpublished from the NPM registry.”
Unlucky Linux boxes trampled by NPM code update, patch zapped
The backdoored package was called
getcookies. Two other packages were involved,
express-cookies, which included
http-fetch-cookies, which included
express-cookies (and therefore
getcookies). The fourth package,
http-fetch-cookies in three sequential versions.
The backdoor was designed to scan HTTP
request.headers, looking for a command string. Were someone to set up a web application using the Express.js framework and one of the compromised modules, an attacker could submit a remote command as a web request and potentially execute arbitrary code under the same privilege level as the application.
As a result of its investigation, NPM removed the account of dustin87, associated with the malicious code, and unpublished
http-fetch-cookies. It also removed three versions of
mailparser (2.2.3, 2.2.2, and 2.2.1) that incorporated the unsafe
http-fetch-cookies module and reset the NPM tokens tied to
mailparser to prevent the appearance of more unauthorized variants.
mailparser module, said Baldwin, has been deprecated â meaning it’s no longer recommended and should be removed from production code when possible â but it still gets downloaded 64,000 times a week.
Playing the long game
In a phone call with The Register, Baldwin said he believed the attack represented an effort to inflate the download counts of
The scheme involved including
mailparser but not actually using it, in order to inflate its apparent popularity and boost its legitimacy.
Baldwin speculates that the attacker somehow obtained credentials for
mailparser and used those to publish versions with the compromised code.
Baldwin claims no packages published to the NPM registry incorporated the malicious modules in a way that would have allowed the backdoor to function.
However, if a developer created an Express.js application and included one of the malicious modules, that application could be accessible through the backdoor.
“We believe that the attacker likely would have used another application to create payloads to be used with this backdoor,” said Baldwin in an email to The Register.
“The goal of these backdoored modules was to look legitimate enough to be included in Express-based applications; once deployed, the attacker then could have remotely executed commands on those systems through this backdoor.”
Aware of that it attracts troublemakers, NPM has been hardening its security posture. Last month, it acquired ^Lift Security, the group that developed the Node Security Platform and included Baldwin. Last week, it rolled out npm@6, which includes security features like alerts when attempting to install vulnerable modules and an “audit” command.
Baldwin explained that NPM’s registry now has almost 700,000 packages and almost 10 million users, making it a magnet for those seeking to distribute malware.
“Weâll continue to see people attempt to publish software like this,” he said. “The thing to remember here is that anybody can publish some piece of code to the NPM registry, but this is not a guarantee that others will use it â or, even if they use it, that they will use it in a way that leads to a malicious outcome.” Â®