After being notified by members of the development community, the npm security team recently began investigating three suspicious packages and one of them turned out to include a backdoor or a secret entranceway unbeknownst by users. The modules, called getcookies, express-cookies and http-fetch-cookies, had been uploaded by the same user.
The getcookies package contained malicious code that allowed remote users to execute arbitrary code on servers through commands hidden in HTTP request headers. The other two packages were decoys and their purpose was to make it harder to discover getcookies.
The backdoor’ed module was listed as a dependency for express-cookies, which was itself listed as a dependency for http-fetch-cookies. The investigation also revealed that a few weeks ago, an existing package called mailparser began listing http-fetch-cookies as a dependency, completing the malicious chain.
“Despite being deprecated, mailparser still receives about 64,000 weekly downloads,” the npm security team said in a blog post. “We searched for how users of this module might be impacted. We determined the published versions of mailparser that depended on http-fetch-cookies did not use the module in any way, eliminating any risk the backdoor posed. We speculate that mailparser’s requiring http-fetch-cookies was to execute an attack in the future or to inflate download counts of express-cookies to add to its legitimacy.”
But while applications that used mailparser were not affected, those that directly pulled in any of the other three modules might have been compromised.
The modules have been unpublished from the npm registry, along with three versions of mailparser—2.2.3, 2.2.2 and 2.2.1—that listed http-fetch-cookies as a dependency. It’s not clear how the rogue dependency was added in the first place to mailparser, which is no longer maintained but is still listed itself as a dependency for 213 other modules.
Researchers warned in the past that a large number of module maintainers used weak passwords, but the npm maintainers have taken several actions to address that problem since then. That said, there are many ways in which developers can have their computers infected with malware and any such compromise presents an opportunity for attackers to backdoor legitimate code and launch software supply-chain attacks.
This is not the first time when malicious packages have been found in the npm registry, or the popular package repositories for other programming languages, but for the most part those attacks used typosquatting — the publishing of rogue packages with names very similar to popular ones.
This incident, however, was better thought out, abusing the dependency system to make the backdoor’ed package appear more legitimate and to make it harder for users to detect it. It highlights why it’s important for developers to carefully review the modules they use in their applications and to maintain software bills of materials so they can quickly assess the damage if any of those components gets compromised.
Feature image via Pixabay.