Slashdot Mirror

← Back to Stories (view on slashdot.org)

Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Package (bleepingcomputer.com)

Posted by msmash on from the danger-averted dept.

Catalin Cimpanu, reporting for BleepingComputer: The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular -- albeit deprecated -- JavaScript package. The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies. The npm team -- which analyzed this package earlier today after reports from the npm community -- says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library.

3 of 88 comments (clear)

  1. Re:And that's why we can't have nice things by Anonymous Coward · · Score: 2, Interesting

    One day I accidently ran "npm install aws-cli" instead of "pip install aws-cli", and ended up finding this little gem:

    https://www.npmjs.com/package/aws-cli

    which at the time had 60k downloads a WEEK, and was some random script that would delete your AWS certs...

    in addition to importing a dependency which installs a backdoor designed by some communist crypto currency secret society:

    https://www.npmjs.com/package/operetta

    just follow the trail and youll get here: http://telekommunisten.net/ ... and that leads to dark places

  2. This makes me irrationally angry. by Anonymous Coward · · Score: 1, Interesting

    While real programmers working in real languages are getting laid off or outsourced millennial programming languages like javascript and tools like npm get made and get widely distributed around the internet. I hope the whole stack gets wannacried/code reded soon.

  3. Re:And that's why we can't have nice things by Anonymous Coward · · Score: 3, Interesting

    The basic problem is that ANY package may contain something malicious. How in the world can you possibly audit them? Many packages depend upon other packages as well. There is often a whole chain of dependencies. Any single one of those packages could have code injected into them (on purpose or because the maintainer got hacked and submitted a signed package that wasn't really theirs).

    So, the choice is to reinvent the wheel or to accept a certain level of risk. A company with the resources of Apple or Google probably prefers to reinvent. But most companies don't have those resources. It is very expensive to audit (and you would have to audit every single version change).

    I am not suggesting people ignore the problem. One does need to be vigilant, but often the cost/benefit is not there to do a thorough job of vetting.