It is a known fact that organizations and individuals should protect publicly exposed applications and services against latent threats. However, there are always weak links and threat actors are always on the lookout for easy ways to infiltrate a network. One of the ways to do so is by exploiting the trust placed in third-party code by developers. In one such instance, a software package from the npm repository has been spotted serving as a tool with an aim to steal passwords saved in the Chrome browser.
The malware was found using legitimate password recovery tools on Windows systems. It is capable of providing additional access to camera and screen, file lookup, directory list, file upload, and shell command execution. The packages have been in the npm registry since 2018 and downloaded more than 2,000 times.
Why it matters
The malware has resided in the npm registry for three years, which is a concerning factor. This threat substantiates the fact that attacks on open-source ecosystems are not going away anywhere and are capable of evading detection for long periods.
The bottom line
Not only npm, but cybercriminals have also infiltrated PyPI to illegally mine cryptocurrency. This latest incident displays how developers sometimes put too much trust in third-party code. Public package repositories serve as a good hiding place for malware. Hence, there is a growing need for security measures that would help promptly detect and protect against these threats.