Another malware has been found in the JavaScript package manager npm (Node Package Manager). This time, the developers who installed the jdb.js and db-json.js packages were infected with the njRAT remote access trojan. Both packages were removed from npm earlier this week.
Packages were created by the same author and described as tools to help you work with JSON files. Both packages were uploaded to npm last week, and users downloaded them more than 100 times before Sonatype discovered malware in them.
According to Sonatype analysts, these packages contained a malicious script that was run after the developer imported and installed either of the two malicious libraries. The script performed basic reconnaissance on the infected host, and then tried to download and run the patch.exe file ( file on VirusTotal ), which later installed the njRAT Trojan on the affected machine. This malware is also known as Bladabindi and has been used by cybercriminals since at least 2015.
To load njRAT without problems, the patch.exe loader changed the behavior of the local Windows firewall by adding a rule for its command and control server to the whitelist before downloading the malware.
Interestingly, only the jdb.js package exhibited this behavior, while the second package, db-json.js, simply loaded the first one (obviously to mask the malicious behavior).
Since njRAT is a very serious threat, the npm security team recommends that affected developers consider their systems completely compromised. Experts emphasize that in this case it will not be possible to do without removing the malicious package, since “there is no guarantee that the removal of the package will remove all the malicious software that appears as a result of its installation.”
It should be noted that since August this year, cybercriminals’ interest in npm has definitely increased. Over the past months, experts have repeatedly discovered various malicious packages designed to steal data from infected systems. Apparently, hackers are interested in breaking into developers in order to be able to steal credentials from confidential projects, source code, intellectual property, or prepare for attacks on larger supply chains.