The security team behind the "npm[1]" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects.
The name of the two packages was jdb.js[2] and db-json.js[3]., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications.
Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis.
According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries.
The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe (VT scan[4]) that later installed njRAT[5], also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.
To make sure the njRAT download wouldn't have any issues, Sharma said the patch.exe loader also modified the local Windows firewall to add a rule to whitelist its command and control (C&C) server before pinging back its operator and initiating the RAT download.
All of this behavior was contained in the jdb.js package only, while the second package, db-json.js, loaded the first in an attempt to disguise its malicious behavior.
Npm security team: Change all passwords
Since infections with any type of RAT-like malware are considered severe incidents, in security alerts on Monday, the npm security team advised web developers to