• The malicious package named as “bb-builder” was targeting Windows operating systems.
  • The npm team tagged the malicious package with critical severity and removed it from their repository.

The npm repository team recently identified a malicious package in their repository and removed it yesterday. The malicious package was found to be stealing login information from various computers in which it was installed on. The malicious package named as “bb-builder” was targeting Windows operating systems.

Who found the malicious package?

Tomislav Pericin, co-founder and chief software architect at ReversingLabs alerted npm repository team about the malicious package on their repository. ReversingLabs is a company that provides automatic static analysis and threat detection products to enterprises.

Pericin also said BleepingComputer that he found the malicious package after scanning the entire 35TB of npm repository for dangerous entries.

The npm Advisory

The npm repository is a commonly used online database for storing open-source software packages. These packages often relate to Node.js projects and serve dependencies to many other projects.

The npm repository team published an advisory that was tagged with critical severity. According to the advisory, all the version of a package named bb-builder were identified to contain malicious code.

The npm repository team did pull the package from the repository and marked in with critical severity. “Any computer that has this package installed or running should be considered fully compromised,” pointed npm in its advisory.

Communication with remote server

The malicious package was identified to send the secret keys and login information to a remote server. It consisted of a Windows executable file which when installed on a users’ computer starts transferring login information and other secret data to a remote server.


The npm security team advises that any computer that has this package installed or running it should consider removing it completely, as the package is fully compromised with malicious code.

“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” npm team said in its advisory.

Cyware Publisher