Security News > 2020 > October > NPM nukes NodeJS malware opening Windows, Linux reverse shells
These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday.
Although the malicious packages were spotted and removed by NPM, I was able to dig into Sonatype's automated malware detection system archives to obtain copies of their source code, as it had existed on NPM downloads.
After the packages are installed, the code establishes a reverse shell to the attacker's server, allowing the attacker to obtain remote access to the compromised machine.
Json was faked by the malware author, or the malware author published these malicious packages using compromised GitHub and npm accounts belonging to different developers.
As observed by BleepingComputer, the different NPM author accounts associated with these 4 packages have now been shut down by npm.
News URL
Related news
- Seven Malicious Go Packages Found Deploying Malware on Linux and macOS Systems (source)
- Steam pulls game demo infecting Windows with info-stealing malware (source)
- EncryptHub Exploits Windows Zero-Day to Deploy Rhadamanthys and StealC Malware (source)
- APT36 Spoofs India Post Website to Infect Windows and Android Users with Malware (source)
- Outlaw Group Uses SSH Brute-Force to Deploy Cryptojacking Malware on Linux Servers (source)
- North Korean Hackers Deploy BeaverTail Malware via 11 Malicious npm Packages (source)
- WhatsApp vulnerability could be used to infect Windows users with malware (CVE-2025-30401) (source)
- Chinese Hackers Target Linux Systems Using SNOWLIGHT Malware and VShell Tool (source)
- Experts Uncover New XorDDoS Controller, Infrastructure as Malware Expands to Docker, Linux, IoT (source)
- Rogue npm Packages Mimic Telegram Bot API to Plant SSH Backdoors on Linux Systems (source)