Version 1.2.9 contains malicious code

[magano]

Check if you have this version installed locally as it contains malicious code that runs on Windows For a short period of time this version was available on the registry and it contained some malicious code!

If you have this version you should have 2 files:

• compile.js
• compile.bat And a preinstall script inside the package.json file
• "preinstall": "start /B node compile.js & node compile.js"

[mohe2015]

https://github.com/advisories/GHSA-g2q5-5433-rhrf

[DanielRuf]

See also this RFC to disable npm scripts by default: https://github.com/npm/rfcs/discussions/80

[ccravens]

Hello all, I've started a petition to try and get NPM to implement security measures to prevent publishing compromised packages. Please support our petition by signing and sharing, thank you!

https://www.change.org/p/npm-please-secure-package-releasing

[e4711s]

Timestamps of the malicious packages' publication (via "npm show rc time"): '1.2.9': '2021-11-04T15:30:19.438Z', '1.3.9': '2021-11-04T15:30:34.911Z', '2.3.9': '2021-11-04T15:30:47.021Z'

Does anyone know when they were unpublished?

[e4711s]

https://twitter.com/npmjs/status/1456398505832976384 is a rough indication. It was posted at 11:10 PM · Nov 4, 2021 UTC

[e4711s]

Does anyone know if the malware is only targetting Windows or other operating systems as well? https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/ indicates it might be only Windows, but I'm not sure.

[magano]

This one specifically was triggering the execution of a BAT file so, only Windows

[mohe2015]

Are you sure because the ua-parser-js one also targeted windows (edit: I meant also Linux) and the file list looks similar. Is the code available somewhere?

[e4711s]

ua-parser-js had malware for Windows and Linux attached

[magano]

I still have the compromised package on my dev machine. Not sure how to share it though

[christophetd]

@magano Can you PM me on Twitter or on the e-mail listed on my profile? Happy to give instructions and I'd be interested on having a look. Thank you!

[5stars217]

Hello all, I've started a petition to try and get NPM to implement security measures to prevent publishing compromised packages. Please support our petition by signing and sharing, thank you!

https://www.change.org/p/npm-please-secure-package-releasing

@ccravens Be better off engaging Node (and your employer(s) about how you can contribute to a fund/project to acquire the funding to do so, rather than just have a petition for something they're well aware of. https://github.com/nodejs/nodejs.org/blob/main/CONTRIBUTING.md

[e4711s]

@magano can you upload the entire package to virustotal?

[GNtousakis]

@magano Can you please share with me the malicious package code on a twitter PM or send me a email on gntousakis@isc.tuc.gr ? I want to run some analysis on the source. Thank you very much! :-) :-)

[chrisrocks]

Does anybody know what's the exact timeframe of the availability of the malware? At what time/date have they been published and when exactly have those versions been removed? Thanks

[DanielRuf]

@chrisrocks please see the previous comments:

https://github.com/dominictarr/rc/issues/131#issuecomment-961685803

[MichaelGissingNC]

In contrast to the coa library, I can't find the actual content of the malicious change somewhere for the rc package.

I saw a lot of comments about them being basically the same payloads, but I wanted to confirm this somehow.

I am especially interested if the behavior for Linux and Mac is the same, so it does not affect Linux and Mac at all. In this issue's description it mentions compile.js and compile.bat, also npm on twitter says it's the same payload. However, I would rest easier if I could confirm that somehow.

• coa diff for reference: https://my.diffend.io/npm/coa/2.0.2/2.0.4
• de-obfuscated compile.js of the coa issue: https://github.com/veged/coa/issues/99#issuecomment-964083726

[DanielRuf]

In contrast to the coa library, I can't find the actual content of the malicious change somewhere for the rc package.

That's because npm found it much faster and directly removed it shortly after it was published.

[GNtousakis]

@DanielRuf Do you know if we can find the malicious code somewhere so we can review it?

[DanielRuf]

I am especially interested if the behavior for Linux and Mac is the same, so it does not affect Linux and Mac at all. In this issue's description it mentions compile.js and compile.bat, also npm on twitter says it's the same payload. However, I would rest easier if I could confirm that somehow.

In all cases (ua-parser-js, coa, rc) the payloads were: dll / exe for Windows (password stealer) + cprytominer for Windows / Linux, MacOS.

A cryptominer is the smallest issue that you will have and mostly harmless.

start /B node compile.js

See also https://github.com/dominictarr/rc/issues/131#issuecomment-961757259

start is a command from Windows. And so are bat files.

@DanielRuf Do you know if we can find the malicious code somewhere so we can review it?

So far npm was way faster to remove it so it looks like no one has a copy unless you were affected. Normally sonatype catches such things earlier but as npm was faster, not sure.

See also https://blog.sonatype.com/npm-hijackers-at-it-again-popular-coa-and-rc-open-source-libraries-taken-over-to-spread-malware and https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/

And the "sdd.dll" dropped by malicious 'rc' versions is yet again different (in terms of checksum) than these two. But all of the DLLs essentially plant the same malware.

[MichaelGissingNC]

In all cases (ua-parser-js, coa, rc) the payloads were: dll / exe for Windows (password stealer) + cprytominer for Windows / Linux, MacOS.

A cryptominer is the smallest issue that you will have and mostly harmless.

@DanielRuf That's not entirely true, I did not see a cryptominer shipped for Linux and MacOS in the coa package. I did not look at the ua-parser-js though.

start is a command from Windows. And so are bat files.

The preinstall line for coa was start /B node compile.js & node compile.js which actually runs on my Linux machine because of the second part:

/tmp/tmp.PHDjrF6bwH/sip-7/test01-run-on-linux$ cat compile.js 
console.log("hello world")

/tmp/tmp.PHDjrF6bwH/sip-7/test01-run-on-linux$ sh -c "start /B node compile.js & node compile.js"
sh: 1: start: not found
hello world

So if the compile.js was the same as for coa, then it's fine, because there the actual call to compile.bat was hidden and nothing else is executed for Linux and Mac

[DanielRuf]

@DanielRuf That's not entirely true, I did not see a cryptominer shipped for Linux and MacOS in the coa package. I did not look at the ua-parser-js though.

It was at least the same threat actor according to the sources so the payloads were probably the same. rc and coa probably just shipped the stealer malware and not the cryptominer anymore. I did not check this in detail.

I think the links contain the most information (for rc and coa it is probably safe to assume that it was the same payload).

[magano]

@magano can you upload the entire package to virustotal?

I uploaded the bat file to Virus Total which lead to this: https://www.virustotal.com/gui/file/eb99954657e3ae69c43c0ccb90131763030239fbd4dff18719e21dae2d6e0a93/behavior/VirusTotal%20Box%20of%20Apples

And the js file lead to the following: https://www.virustotal.com/gui/file/6d743a0267197b937b31128272743793fc876c3804cb6f6935afc22688f04c06?nocache=1

@magano Can you please share with me the malicious package code on a twitter PM or send me a email on gntousakis@isc.tuc.gr ? I want to run some analysis on the source. Thank you very much! :-) :-) Sent via email

[GNtousakis]

@magano thanks a lot!

[qubitter]

@magano could you please share with me the entire NPM package? My email address is cbershatsky@qualys.com - package is required for work

[volkancakil]

1 - event-stream 2 - rc selling popular packages to the hackers is a new fassion?

[goatandsheep]

I'm maintaining a popular fork that is snyk-protected https://www.npmjs.com/package/run-con

[ljharb]

@volkancakil that isn’t what happened in either case, nor any other I’m aware of.

[goatandsheep]

You're right it absolutely is not. You can even see in the git history. Dom's npm keys must have been hacked