Malicious npm packages spotted delivering njRAT Trojan

Pierluigi Paganini December 01, 2020

npm security staff removed two packages that contained malicious code to install the njRAT remote access trojan (RAT) on developers’ computers.

Security staff behind the npm repository removed two packages that were found containing the malicious code to install the njRAT remote access trojan (RAT) on computers of JavaScript and Node.js developers who imported and installed the jdb.js and db-json.js packages.

The packages were discovered by Sonatype researchers over the Thanksgiving weekend.

“This time, the typosquatting packages identified by us are laced with a popular Remote Access Trojan (RAT).” states the post published by Sonatype.

“The malicious packages are:

Both packages were created by the same author last week who masqueraded them as tools to work with JSON files.

The two were downloaded more than 100 times before they were discovered by Sonatype researchers.

The jdb.js package included a script designed to perform basic reconnaissance of the infected machine and data gathering. The script attempted to download and execute a file named patch.exe that was used to install the njRAT remote access trojan.

Sonatype’s researcher Ax Sharma noticed that patch.exe loader also modified the local Windows firewall by adding a rule to whitelist its command and control (C&C) server before connecting it to download the final RAT.

The second package, jdb.js, only included the ode to load jdb.js.

“The package “db-json.js” appears clean on a first glance as it contains functional code one would expect from a genuine JSON DB creation package. Yet, it is secretly pulling in the malicious “jdb.js” as a dependency, something Sonatype has repeatedly warned about.” continues the analysis.

Developers that installed one of the above packages have to consider their systems as fully compromised.

“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.” states the npm staff.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”

The presence of malicious npm packages in the official repository is becoming frequent.

In early November, the same team of researchers discovered an npm package that contains malicious code designed to steal sensitive Discord and browser files.

A few days before, the npm security team has removed a malicious JavaScript library named “twilio-npm” from its repository because contained a code for establishing backdoors on the computers of the programmers. Npm is the largest package repository for any programming language.

In October, NPM staff removed four JavaScript packages from the npm portal because were containing malicious code. Npm is the largest package repository for any programming language.

The four packages, which had a total of one thousand of downloads, are:

This marks the fourth major takedown of a malicious package over the past three months.

In late August, the staff removed a malicious npm (JavaScript) library designed to steal sensitive files from an infected users’ browser and Discord application.

In September, the security team removed four npm (JavaScript) libraries for collecting user details and uploading the stolen data to a public GitHub page.

In October, the npm team removed three packages that were also caught opening reverse shells (backdoors) on developer computers. The three packages were also discovered by Sonatype. Unlike the one discovered over the weekend, these three also worked on Windows systems, and not just UNIX-like systems.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, npm)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment