- A npm package deal maintainer has fallen sufferer to a phishing assault
- The attackers accessed packages and up to date them to hold malware
- Most antivirus applications are nonetheless not correctly flagging the malicious DLL
A number of common npm packages with hundreds of thousands of weekly downloads had been focused, and one used as a launchpad for malware deployment, when its maintainer fell prey to a phishing assault.
JounQin is a software program developer that maintains eslint-config-prettier, eslint-plugin-prettier, synckit, @pkgr/core, and napi-postinstall.
These packages assist combine and streamline code formatting with Prettier and ESLint, handle async-to-sync duties in Node.js, deal with native binary installs, and help core utilities for bundling workflows.
Publishing a clear model
Prettier is a code formatting instrument that enforces constant type by robotically reformatting supply code. ESLint, alternatively, is a static code evaluation instrument that scans JavaScript and TypeScript code for bugs, type points, and potential safety flaws with out operating the code.
They just lately obtained an electronic mail that spoofed the help@npmjs.com account, and which requested them to “confirm” their account. They did so, and thus gave the attackers their login credentials. When the attackers gained entry, they used it to put in variations 8.10.1, 9.1.1, 10.1.6, and 10.1.7 of the eslint-config-prettier package deal. The group shortly noticed one thing was amiss, and notified the developer.
It was decided the malicious model runs a postinstall script as quickly as it’s put in. This script tries to execute a DLL through the rundll32 Home windows system course of which is now being flagged as a trojan.
Nearly all of antivirus applications are nonetheless not flagging this .DLL as malware. Up to now, simply 19 out of 72 engines are detecting this DLL as malicious.
“I’ve deleted that npm token and can publish a brand new model ASAP,” JounQin stated after realizing they had been compromised. “Thanks all, and sorry for my negligence.”
Here’s a checklist of the malicious packages which must be prevented:
eslint-config-prettier variations 8.10.1, 9.1.1, 10.1.6, and 10.1.7.
eslint-plugin-prettier variations 4.2.2 and 4.2.3.
synckit model 0.11.9
@pkgr/core model 0.2.8
napi-postinstall model 0.3.1
Through BleepingComputer
