More popular npm packages hijacked to spread malware
- A npm package maintainer has fallen victim to a phishing attack
- The attackers accessed packages and updated them to carry malware
- Most antivirus programs are still not properly flagging the malicious DLL
Several popular npm packages with millions of weekly downloads were targeted, and one used as a launchpad for malware deployment, when its maintainer fell prey to a phishing attack.
JounQin is a software developer that maintains eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.
These packages help integrate and streamline code formatting with Prettier and ESLint, manage async-to-sync tasks in Node.js, handle native binary installs, and support core utilities for bundling workflows.
Publishing a clean version
Prettier is a code formatting tool that enforces consistent style by automatically reformatting source code. ESLint, on the other hand, is a static code analysis tool that scans JavaScript and TypeScript code for bugs, style issues, and potential security flaws without running the code.
They recently received an email that spoofed the [email protected] account, and which asked them to “verify” their account. They did so, and thus gave the attackers their login credentials. When the attackers gained access, they used it to install versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of the eslint-config-prettier package. The community quickly spotted something was amiss, and notified the developer.
It was determined the malicious version runs a postinstall script as soon as it is installed. This script tries to execute a DLL via the rundll32 Windows system process which is now being flagged as a trojan.
The majority of antivirus programs are still not flagging this .DLL as malware. So far, just 19 out of 72 engines are detecting this DLL as malicious.
“I’ve deleted that npm token and will publish a new version ASAP,” JounQin said after realizing they were compromised. “Thanks all, and sorry for my negligence.”
Here is a list of the malicious packages which should be avoided:
eslint-config-prettier versions 8.10.1, 9.1.1, 10.1.6, and 10.1.7.
eslint-plugin-prettier versions 4.2.2 and 4.2.3.
synckit version 0.11.9
@pkgr/core version 0.2.8
napi-postinstall version 0.3.1
Via BleepingComputer
You might also like
A npm package maintainer has fallen victim to a phishing attack The attackers accessed packages and updated them to carry malware Most antivirus programs are still not properly flagging the malicious DLL Several popular npm packages with millions of weekly downloads were targeted, and one used as a launchpad for…
