- An NPM packages has been the victim of a phishing attack
- The attackers accessed the packages and updated them to carry malware
- Most antivirus programs are not yet marking the malicious DLL
Several Popular NPM packages with millions of weekly downloads were attacked, and one used as a launch platform for malware implementation, when its maintainer fell prey to a phishing attack.
Jounqin is a software developer that keeps Eslint-Config-Prettier, Eslint-Plugin-Prettier, Syckit, @Pkgr/Core and Napi-Poststalll.
These packages help integrate and expedite the code format with more beautiful and ESLINT, manage Async tasks to synchronization in Node.js, handle native binary facilities and admit central profits to group workflows.
Publish a clean version
Prettier is a code format tool that enforces the consistent style by automatically reformatically reforming the source code. ESLINT, on the other hand, is a static code analysis tool that scan the JavaScript and TypeScript code for errors, style problems and possible security defects without executing the code.
Recently they received an email that falsified the support [email protected], and asked them to “verify” their account. They did it and, therefore, gave the attackers their login credentials. When the attackers got access, they used it to install versions 8.10.1, 9.1.1, 10.1.6 and 10.1.7 of the ESLINT-CONFIG-PRETTIER package. The community quickly saw something was wrong and notified the developer.
It was determined that the malicious version executes a subsequent script as soon as it is installed. This script tries to execute a DLL through the Rundll32 Windows system process that is now marked as a Trojan.
Most antivirus programs are not yet marking this .dll as malware. Until now, only 19 of the 72 engines are detecting this DLL as malicious.
“I have eliminated that NPM token and publish a new version as soon as possible,” Jounqin said after realizing that they were committed. “Thank you all, and sorry for my negligence.”
Here is a list of the malicious packages that should be avoided:
Eslint-Configsier versions 8.10.1, 9.1.1, 10.1.6 and 10.1.7.
Eslint-Plugin-Prettier 4.2.2 and 4.2.3 versions.
Syckit version 0.11.9
@Pkgr/core version 0.2.8
Napi-posttalll version 0.3.1
Through Bleepingcomputer