Another malicious npm package appeared on the official repository that created a backdoor on users’ computers. The package impersonated an otherwise legit package to fool users.
npm Package Created Backdoor
As revealed through a report by Sonatype, a malicious npm package existed on the official repository few days ago.
The package labeled as ‘twilio-npm’ appeared online on October 30, 2020, mimicking ‘twilio’ – an otherwise legit package that already exists on the repository.
The malicious twilio-npm package, following download on the target device, created backdoor.
Specifically, three versions of the package existed on the library, 1.0.0 to 1.0.2, all of which appeared the same day. The first two of these exhibited more maliciousness.
Regarding the impact on the victims’ devices, the report reads,
As soon as one of these versions of `twilio-npm` is installed on Unix-based systems, a TCP reverse shell is launched in the background to an external server: `4.tcp.ngrok[.]io:11425`.
This effectively opens a backdoor on the user’s machine giving the attacker control of the compromised machine and Remote Code Execution (RCE) capabilities.
Malicious Package Removed
Upon detecting the malicious package, the npm security team removed it from the repository. As described in the advisory,
twilio-npmopened a reverse shell to a remote server as a postinstall script.
They have clearly warned the users about the full compromise of the systems running this package. Hence, the users should remove it from their computers at the earliest. Also, stored keys should be rotated.
Though, doing would still not warrant complete cleanup of the infected device.
A positive thing to note is that the package didn’t survive for long to infect a large number of users. npm security team quickly removed it. However, even in this short duration, the package garnered 371 downloads over the weekend.
The recent discovery is just an addition to the trail of malicious packages infecting the npm repository. About two weeks ago, npm team removed three malicious packages that exploited typesquatting technique to target users.