Search This Blog

A backdoor was discovered in npm package

The Node Package Manager (npm) team avoided a disaster when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.

npm of npm, Inc. is at JavaScript what the famous Maven of the Apache Foundation is in Java. It provides application lifecycle management tools, and it relies on a package registry to efficiently manage the runtime and development dependencies of JavaScript projects, whether backend or frontend.

The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies. The npm team analyzed this package. The team reports say that getcookies contain a complex system to receive commands from a remote attacker that could target any JavaScript application that has embedded this library. The npm team explains: The backdoor works by parsing HTTP request. user-provided headers looking for specifically formatted data.

The npm team explains:

“The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specific formatted data that provides three different commands to the backdoor. We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi.”

According to the npm team, the backdoor "allowed an attacker to enter arbitrary code on a current server. 

But things didn't end here. The original backdoor module has been imported into other packages. The "getcookies" library was new and not that popular, being included in very few projects. The npm team says that it discovered a chain of nested dependencies through which the getcookies package was indirectly part of the structure of a very popular library called Mailparser.

Mailparser is an npm package for parsing email data using JavaScript. This is an old library, and one that's been deprecated in favour of a newer one named "Nodemailer."
Share it: