- An NPM package manager was the victim of a phishing attack
- The attackers accessed the packages and updated them to transport malware
- Most antivirus programs still do not properly report the malicious DLL
Several popular NPM packages with millions of weekly downloads have been targeted, and that used as a launch for the deployment of malware, when its maintainer fell prey to a phishing attack.
Jounqin is a software developer who keeps ESLINT-Config-Prettier, ESLINT-PLUgin-Prettier, SYNCKIT, @ PKGR / CORE and NAPI-Postinstall.
These packages help to integrate and rationalize code formatting with more beautiful and eslint, manage asynchronous to synchronization tasks in Node.js, manage native binary installations and take care of basic utilities for grouping workflows.
Publish a clean version
Pretter is a code formatting tool that applies a coherent style by automatically reforming the source code. ESLINT, on the other hand, is a static code analysis tool that analyzes the JavaScript and TypeScript code for bugs, style problems and potential security defects without executing the code.
They recently received an email which usurped the [email protected] and which asked them to “check” their account. They did it and gave their attackers their connection references. When the attackers had access, they used it to install versions 8.10.1, 9.1.1, 10.1.6 and 10.1.7 of the ESLINT-Config-Prettier package. The community quickly spotted that something was wrong and informed the developer.
It has been determined that the malicious version runs a post-stall script as soon as it is installed. This script tries to run a DLL via the Windows Rundll32 system process which is now reported in Trojen.
The majority of antivirus programs still do not report this .DLL as malware. Until now, only 19 out of 72 engines detect this DLL as malicious.
“I deleted this NPM token and will publish a new version as soon as possible,” said Jounqin after realizing that they were compromised. “Thank you all, and sorry for my negligence.”
Here is a list of the malicious packages that must be avoided:
ESLINT-Config-Prettier versions 8.10.1, 9.1.1, 10.1.6 and 10.1.7.
ESLINT-PLUgin-Prettier 4.2.2 and 4.2.3 versions.
Synckit version 0.11.9
@ pkgr / core version 0.2.8
NAPI-Postinstall version 0.3.1
Via Bleeping Compompute
