Microsoft discovers malicious npm package

Get a free Techzine subscription!

Microsoft has discovered a malicious npm package that steals data from Unix systems. The npm (Node Package Manager) security team for JavaScript has taken the malicious package off the air.

The malicious package is called 1337qq-js and was uploaded to the npm repository on December 30th. The package was downloaded at least 32 times before the discovery took place. It was discovered by Microsoft’s Vulnerability Research team. According to npm security team analysis, the package steals sensitive information by installing certain malicious scripts to target UNIX systems.

Environment variables

The data stolen included environment variables, but also running processes, /etc/hosts, uname -a, and npmrc files were captured. Stealing environment variables is considered a significant breach of security because information such as hard-coded passwords or, for example, API access tokens are often stored as environment variables, in certain JavaScript apps.

Updating credentials

The npm team recommends all developers who have downloaded or used this JavaScript package in their projects to remove it from their systems. It is also recommended that any affected credentials be renewed on a regular basis.

ZDNet reports that this is now the sixth incident of a malicious package on the npm repository index. However, this is the least serious incident, as Microsoft analysts discovered the library after two weeks, before much abuse could take place.