Security News > 2021 > July > Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers
A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser.
"For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line."
While the first version of the package was put out just to test the process of publishing an NPM package, the developer, who went by the name of "Chrunlee", made follow-on revisions to implement a remote shell functionality which was improvised over several subsequent versions.
Interestingly, the author also abused the configuration options of NPM packages specified in the "Package.json" file, specifically the "Bin" field that's used to install JavaScript executables, to hijack the execution of a legitimate package named "Jstest" - a cross-platform JavaScript test framework - with a malicious variant, exploiting it to launch a service via command line that's capable of receiving an array of commands, including file lookup, file upload, shell command execution, and screen and camera recording.
Update: The offending NPM package has now been pulled from the repository, with a GitHub spokesperson telling The Hacker News that "We removed the package in accordance with npm's acceptable use policy regarding malware, as outlined in its Open-Source Terms."
Visiting the NPM page for "Nodejs net server" now displays the message "This package contained malicious code and was removed from the registry by the NPM security team."