The npm security team has just recently removed a malicious JavaScript library from the npm website that contains malicious code that can be used for opening backdoors on certain programmers' computers.
The JavaScript library was named the "twilio-npm" according to web.archive and it has shown malicious behavior that was recently detected by Sonatype, a company that monitors the public package repositories all as part of its own developer security operations known as DevSecOps services.
Compromised library first found in npm website
According to the recently published report by Sonatype, the library was allegedly first published on the npm website some time Friday and was discovered on the very same day. Today, this was removed after the official npm security team eventually blacklisted the said package.
Despite the really short lifespan on the said npm portal, the library was actually downloaded over 370 times and also automatically included certain JavaScript projects that were built and also managed through the npm or Node Package Manager command-line utility.
Sonatype security researcher found out about the flawed library
Ax Sharma, a known Sonatype security researcher responsible for discovering and analyzing the flawed library, stated that the malicious code was found within the fake Twilio library that would eventually open a TCP reverse shell on every one of the computers that the said library was downloaded. After being downloaded, it was then imported inside the JavaScript/npm/Node.js projects.
The reverse shell opens to a connection straight towards "4.tcp.ngrok[.]io:11425" originally from where it first waited to receive a set of new commands in order to run on the infected users' own computers. Sharma then said that the reverse shell would only work on the UNIX-based OS.
According to an article by ZDNet, the npm security team confirmed Sonatype's investigation by saying any computer that actually has this package already installed or already running should be considered as fully compromised. It was also stated that all secrets as well as keys stored within that computer should definitely be rotated quite immediately from a certain different computer.
Read Also: Jailbreak iOS 14.2 Solutions: How to Install Latest iOS for Earlier Phones
Attacks have been going on for quite a while
This currently marks the fourth ever major takedown of the malicious npm package over the span of three months. Back sometime in late August, the npm staff proceeded to remove a malicious npm or JavaScript library that was designed to steal certain sensitive files from a particularly infected users' browser as well as Discord application.
Quite similarly, back in September, the known npm staff then removed four different npm (JavaScript) libraries used for collecting certain user details and also uploading the stolen data straight to a public GitHub page. In order to properly defend from hackers, it is better to avoid using the said JavaScript library or other similar libraries that could be malicious.
Related Article: US Hospitals' Recent Ransomware Attack is the 'Most Significant Cybersecurity Threat' Ever Seen, Say Experts
This article is owned by Tech Times
Written by Urian Buenconsejo