Malware once again a headache for npm

Fortiguard Labs is warning of a bunch of malicious packages it found in Node Package Manager (npm), the largest JavaScript software registry.

In an October 2 blog post, Fortiguard’s Jin Lee and Jenna Wang said the packages aim “to steal sensitive data, such as system or user information, via a webhook or file-sharing link”.

Lee and Wang said they identified some packages that, “while obfuscated, exfiltrate sensitive data”. 

That included “Kubernetes configurations, SSH keys, and other critical information. It also gathers basic system fingerprinting details, like username, IP address, and hostname,” they said.

The packages mostly had benign-looking names like “webpack”, “fixedwidthtable”, and “virtualsearchtable”.

A second set of packages “send HTTP GET requests to specific URLs, scanning for sensitive files and directories containing valuable intellectual property and configuration data, which is then extracted and uploaded to an FTP server.”

Source code and configuration files were captured by these packages, along with directories containing sensitive information like application and service credentials.

In all, Fortiguard identified nine groups of malicious npm packages with similar behaviours.

The nefarious activity was mostly hidden in install scripts that ran whenever the malicious package ran, Fortiguard said.

Malware remains a persistent problem for public software registries; npm was found to be hosting bad actors’ packages last year, and again earlier this year.