PureScript installer found containing malicious code

• The malicious code was present in packages of NPM installer -- which were developed and maintained by the original author.
• It was found that the code was added to stop the NPM installer from running successfully.

An NPM installer, which installs PureScript, was found containing malicious code. The discovery was made by software developer Harry Garrood and team the previous week. In addition to that, two exploits to make the malicious code work were also detected. As stated by Garrood, the malicious code was inserted to stop the NPM installer from running correctly. The installer was created by Japanese developer Shinnosuke Watanabe.

PureScript is a functional programming language that compiles to JavaScript, and NPM is a popular package manager for JavaScript libraries.

Key highlights

• In a blog post, Garrood details the exploits used in activating the malicious code found in two NPM packages.
• The packages in question are ‘load-from-cwd-or-npm’ version 3.0.2 and ‘rate-map’ version 1.0.3.
• According to Garrood, Watanabe claimed that someone had access to his NPM account in order to insert the malicious code in the packages.
• Fortunately, the malicious code has been removed in an updated version (0.13.2) of the PureScript NPM installer. Furthermore, certain code dependencies maintained by Watanabe were also eliminated in this compiler release.

Worth noting

Garrood says that the code prevented the download of the installer subsequently crashing the application. The reason was the presence of the two exploits which activated the code. “The first exploit did this by breaking the load-from-cwd-or-npm package so that any call to loadFromCwdOrNpm() would return a PassThrough stream instead of the package we were expecting,” Garrood explained.

“The second iteration of the exploit did this by modifying a source file to prevent a download callback from firing,” Garrood further added.