Today, Investigators at ReversingLabs have revealed their researches on two malicious npm packages that secretly hijack credentials from your Chrome web browser.<\/p><\/p>\n\n\n\n
These packages are called:<\/p><\/p>\n\n\n\n
- nodejs_net_server \u2013<\/strong> over 1,300 total number of downloads<\/li>
- temptesttempfile \u2013 <\/strong>over 800 total downloads<\/li><\/ul>\n\n\n\n
These packages were found by ReversingLabs Titanium Platform static analysis engine that employed machine learning algorithms.<\/p><\/p>\n\n\n\n
But the main focus of the reports is on nodejs_net_server which contains the core malware features.<\/p><\/p>\n\n\n\n
The Trojan targets Windows machines to hijack user passwords and also sets up a persistent remote backdoor for the threat actors to conduct surveillance activities.<\/p><\/p>\n\n\n\n
To provides its credential-stealing activities, the Trojan specifically \u201cnodejs_net_server,\u201d uses the appropriate ChromePass freeware facilities for Windows. ChromePass is one of the password recovery tools for Windows systems that major goal is to extract credentials from the user\u2019s Chrome web browser:<\/p><\/p>\n\n\n\n
![\"Vulnerable-NPM-Packages-Hijack-Chrome-Credentials-on-Windows-using-Recovery-Tools-image1\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Vulnerable-NPM-Packages-Hijack-Chrome-Credentials-on-Windows-using-Recovery-Tools-image1.jpg\")
<\/figure><\/div>\n\n\n\nThe utility is packed inside the npm package with cryptic or misleading names, like a.exe.<\/p><\/p>\n\n\n\n
Disregarding, as ChromePass executables have previously been flagged by VirusTotal as malicious.<\/p><\/p>\n\n\n\n
The \u201cnodejs_net_server\u201d has had 12 versions published to date, with the advanced on 1.1.2 computing about 40 MB in size uncompressed.<\/p><\/p>\n\n\n\n
In later versions, though, the Trojan is seen launching TeamViewer.exe to bypass raising red flags.<\/p><\/p>\n\n\n\n
Harm NPM Configuration options to Gain Perseverance <\/strong><\/h2>\n\n\n\n
Most malicious npm packages caught thus far rely on typosquatting or dependency confusion to infect developers. But that is not the case with these packages, and it\u2019s not yet been discovered that how these packages handle get so many downloads.<\/p><\/p>\n\n\n\n
We haven\u2019t discovered any obvious typosquatting target by examining the package name. It is still unclear to us how the author aimed to manipulate users into installing the package. We can however see download activity on the packages statics page.<\/p><\/p>\n\n\n\n
We have contacted NPM to take the package down. We are still waiting on their security team to respond, \u201cReversingLabs\u201d chief software architect and co-founder, Tomislav Pericin told our experts in an email interview. <\/p><\/p>\n\n\n\n
![\"Vulnerable-NPM-Packages-Hijack-Chrome-Credentials-on-Windows-using-Recovery-Tools-image2\"](\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Vulnerable-NPM-Packages-Hijack-Chrome-Credentials-on-Windows-using-Recovery-Tools-image2-1024x572.jpeg\")
<\/figure><\/div>\n\n\n\n\u201cWe removed the package in accordance with npm\u2019s acceptable use policy regarding malware, as mentioned in its Open-Source Terms,\u201d a GitHub spokesperson told our experts.<\/p><\/p>\n\n\n\n
Interestingly, as soon as the package is installed by the developer, it attempts to gain endurance on the Windows machine by harming the well-known npm configuration option, \u201cbin\u201d.<\/p><\/p>\n\n\n\n
The \u201cbin\u201d option in the package\u2019s manifest file, package\u2019s manifest file, package.json, is proposed at stealing the popular \u201cjstest\u201d package, should it be pre-installed on a developer\u2019s machine.<\/p><\/p>\n\n\n\n
\u201cjstest\u201d is a cross-platform JavaScript testing infrastructure downloaded over 36,000 times to date \u2013 meaning, high chances a NodeJS developer would have it.<\/p><\/p>\n\n\n\n
Whoops! The trojan author reveals their Passwords<\/strong><\/h3>\n\n\n\n
In an unexpected twist, some versions of nodejs_net_server contain text files with usernames and plaintext credentials of the Trojan author, separated from Chrome.<\/p><\/p>\n\n\n\n
ReversingLabs consider this to be an incident on the author\u2019s part:<\/p><\/p>\n\n\n\n
\u201cOne of the funniest facts related to versions that accommodate the password recovery tool is that the package author accidentally published their own, preserved login credentials.\u201d<\/p><\/p>\n\n\n\n
\u201cIt comes that the posted versions 1.1.1 and 1.1.2 from the NOM repository include the results of testing the ChromePass tool on the author\u2019s personal system.\u201d<\/p><\/p>\n\n\n\n
\u201cThese login credentials were stored in the \u2018a.txt\u2019 file located in the same folder as the password recovery tool named as \u2018a.exe\u2019,\u201d told by ReversingLabs reverse engineer Karlo Zanki.<\/p><\/p>\n\n\n\n
Over the last few months, attacks on open source ecosystems including, npm, PyPI and RubyGems have grown regularly.<\/p><\/p>\n\n\n\n
While the recent reports of current dependency stealing attacks flooding open source repos, the main concern is not going away anytime soon.<\/p><\/p>\n\n\n\n
\u201cWe are still to see a malicious repository package enclose itself in the final release image, but that seems like it\u2019s only a matter of time with the current state of things,\u201d concluded Pericin.<\/p><\/p>\n","protected":false},"excerpt":{"rendered":"
New NPM Trojan has been discovered hijacking credentials from the Google Chrome web browser by using appropriate password recovery tools on Windows systems. Moreover, this Trojan observes for incoming connections from the threat actor\u2019s C2 server and gives new functionalities, such as screen and camera access, file lookup, shell command execution, file upload, and directory […]<\/p>\n","protected":false},"author":2,"featured_media":2596,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[5],"tags":[],"yoast_head":"\n
Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools - Xiarch Solutions Private Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools - Xiarch Solutions Private Limited\" \/>\n<meta property=\"og:description\" content=\"New NPM Trojan has been discovered hijacking credentials from the Google Chrome web browser by using appropriate password recovery tools on Windows systems. Moreover, this Trojan observes for incoming connections from the threat actor\u2019s C2 server and gives new functionalities, such as screen and camera access, file lookup, shell command execution, file upload, and directory […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/\" \/>\n<meta property=\"og:site_name\" content=\"Xiarch Solutions Private Limited\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/xiarch\/\" \/>\n<meta property=\"article:published_time\" content=\"2021-07-22T08:04:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-07-22T08:04:36+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Vulnerable-NPM-Packages-Hijack-Chrome-Credentials-on-Windows-using-Recovery-Tools-featured-image.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1000\" \/>\n\t<meta property=\"og:image:height\" content=\"525\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Xiarch Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@xiarch\" \/>\n<meta name=\"twitter:site\" content=\"@xiarch\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Xiarch Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/\"},\"author\":{\"name\":\"Xiarch Security\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\"},\"headline\":\"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools\",\"datePublished\":\"2021-07-22T08:04:34+00:00\",\"dateModified\":\"2021-07-22T08:04:36+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/\"},\"wordCount\":741,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"articleSection\":[\"Breaches\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/\",\"url\":\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/\",\"name\":\"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools - Xiarch Solutions Private Limited\",\"isPartOf\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#website\"},\"datePublished\":\"2021-07-22T08:04:34+00:00\",\"dateModified\":\"2021-07-22T08:04:36+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/xiarch.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/xiarch.com\/blog\/#website\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"name\":\"Xiarch Solutions Private Limited\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/xiarch.com\/blog\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/xiarch.com\/blog\/#organization\",\"name\":\"Xiarch\",\"url\":\"https:\/\/xiarch.com\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"contentUrl\":\"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png\",\"width\":300,\"height\":300,\"caption\":\"Xiarch\"},\"image\":{\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/xiarch\/\",\"https:\/\/twitter.com\/xiarch\",\"https:\/\/www.linkedin.com\/company\/xiarch\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c\",\"name\":\"Xiarch Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g\",\"caption\":\"Xiarch Security\"},\"sameAs\":[\"https:\/\/xiarch.com\/blog\/\"],\"url\":\"https:\/\/xiarch.com\/blog\/author\/vector\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools - Xiarch Solutions Private Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/","og_locale":"en_US","og_type":"article","og_title":"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools - Xiarch Solutions Private Limited","og_description":"New NPM Trojan has been discovered hijacking credentials from the Google Chrome web browser by using appropriate password recovery tools on Windows systems. Moreover, this Trojan observes for incoming connections from the threat actor\u2019s C2 server and gives new functionalities, such as screen and camera access, file lookup, shell command execution, file upload, and directory […]","og_url":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/","og_site_name":"Xiarch Solutions Private Limited","article_publisher":"https:\/\/www.facebook.com\/xiarch\/","article_published_time":"2021-07-22T08:04:34+00:00","article_modified_time":"2021-07-22T08:04:36+00:00","og_image":[{"width":1000,"height":525,"url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/07\/Vulnerable-NPM-Packages-Hijack-Chrome-Credentials-on-Windows-using-Recovery-Tools-featured-image.jpg","type":"image\/jpeg"}],"author":"Xiarch Security","twitter_card":"summary_large_image","twitter_creator":"@xiarch","twitter_site":"@xiarch","twitter_misc":{"Written by":"Xiarch Security","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#article","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/"},"author":{"name":"Xiarch Security","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c"},"headline":"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools","datePublished":"2021-07-22T08:04:34+00:00","dateModified":"2021-07-22T08:04:36+00:00","mainEntityOfPage":{"@id":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/"},"wordCount":741,"commentCount":0,"publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"articleSection":["Breaches"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/","url":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/","name":"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools - Xiarch Solutions Private Limited","isPartOf":{"@id":"https:\/\/xiarch.com\/blog\/#website"},"datePublished":"2021-07-22T08:04:34+00:00","dateModified":"2021-07-22T08:04:36+00:00","breadcrumb":{"@id":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/xiarch.com\/blog\/vulnerable-npm-packages-hijack-chrome-credentials-on-windows-using-recovery-tools\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/xiarch.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Vulnerable NPM Packages Hijack Chrome Credentials on Windows using Recovery Tools"}]},{"@type":"WebSite","@id":"https:\/\/xiarch.com\/blog\/#website","url":"https:\/\/xiarch.com\/blog\/","name":"Xiarch Solutions Private Limited","description":"","publisher":{"@id":"https:\/\/xiarch.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/xiarch.com\/blog\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/xiarch.com\/blog\/#organization","name":"Xiarch","url":"https:\/\/xiarch.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","contentUrl":"https:\/\/xiarch.com\/blog\/wp-content\/uploads\/2021\/06\/xi-logo-002.png","width":300,"height":300,"caption":"Xiarch"},"image":{"@id":"https:\/\/xiarch.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/xiarch\/","https:\/\/twitter.com\/xiarch","https:\/\/www.linkedin.com\/company\/xiarch"]},{"@type":"Person","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/655d814a04eacce56942270cfdc5c59c","name":"Xiarch Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/xiarch.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d33699ed91b76568586dc1ae278ea568?s=96&d=mm&r=g","caption":"Xiarch Security"},"sameAs":["https:\/\/xiarch.com\/blog\/"],"url":"https:\/\/xiarch.com\/blog\/author\/vector\/"}]}},"_links":{"self":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2594"}],"collection":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/comments?post=2594"}],"version-history":[{"count":1,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2594\/revisions"}],"predecessor-version":[{"id":2599,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/posts\/2594\/revisions\/2599"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media\/2596"}],"wp:attachment":[{"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/media?parent=2594"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/categories?post=2594"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/xiarch.com\/blog\/wp-json\/wp\/v2\/tags?post=2594"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} - temptesttempfile \u2013 <\/strong>over 800 total downloads<\/li><\/ul>\n\n\n\n