Security News > 2020 > October > NPM nukes NodeJS malware opening Windows, Linux reverse shells
These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday.
Although the malicious packages were spotted and removed by NPM, I was able to dig into Sonatype's automated malware detection system archives to obtain copies of their source code, as it had existed on NPM downloads.
After the packages are installed, the code establishes a reverse shell to the attacker's server, allowing the attacker to obtain remote access to the compromised machine.
Json was faked by the malware author, or the malware author published these malicious packages using compromised GitHub and npm accounts belonging to different developers.
As observed by BleepingComputer, the different NPM author accounts associated with these 4 packages have now been shut down by npm.
News URL
Related news
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)
- New Perfctl Malware Targets Linux Servers for Cryptocurrency Mining and Proxyjacking (source)
- Linux malware “perfctl” behind years-long cryptomining campaign (source)
- Linux systems targeted with stealthy “Perfctl” cryptomining malware (source)
- New FASTCash malware Linux variant helps steal money from ATMs (source)
- New Linux Variant of FASTCash Malware Targets Payment Switches in ATM Heists (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- BeaverTail Malware Resurfaces in Malicious npm Packages Targeting Developers (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)