Security News > 2021 > July > NPM Package Steals Passwords via Chrome’s Account-Recovery Tool

Npm is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome's V8 JavaScript engine.

"Vast" would be an understatement to describe the ecosystem: npm hosts more than 1.5 million unique packages, and serves up more than 1 billion requests for JavaScript packages per day, to around 11 million developers worldwide.

Js - implements the same remote shell functionality as the ones found in versions of the nodejs net server package, but this package doesn't perform execution hijacking, and it lacks a persistence mechanism, making its purpose "a bit unclear," ReversingLabs said.

ReversingLabs contacted the npm security team on July 2 to give them a heads-up about the nodejs net server and tempdownloadtempfile packages and circled back once again last week, on Thursday, since the team still hadn't removed the packages from the repository.

In July 2018, an attacker compromised the npm credentials of an ESLint maintainer and published malicious versions of the popular "Eslint-scope" and "Eslint-config-eslint" packages to the npm registry.

A few months later, in November 2018, another malicious package was discovered: it was a dependency to version 3.3.6 of the popular package, "Event-stream." The malicious package, called "Flatmap-stream," contained an encrypted payload that was tailored to steal Bitcoins from the Copay application.

News URL

https://threatpost.com/npm-package-steals-chrome-passwords/168004/