The developers of the Node.js package manager npm have removed malicious code that attempted to steal data from developers’ systems.
The “fallguys” package contained malicious code that attempted to read sensitive files on a user’s system, npm said in a security advisory.
The malware was designed to send the data it collected to the Discord communications platform via a webhook, npm said.
The malicious code attempted to access five paths on Windows systems, four of which are used to store data for the Chrome, Opera, Yandex and Brave browsers.
The fifth path is used for data storage by the Discord application.
Npm advised developers to remove the package from their systems and to ensure any security credentials that may have been compromised are changed.
The “fallguys” name is apparently a reference to the game Fall Guys: Ultimate Knockout.
The malicious package was available on the npm portal for two weeks, during which time it was downloaded nearly 300 times, according to npm’s telemetry.
The incident underscores how the complexity of modern software development can leave software projects vulnerable to the insertion of malicious code.
Npm is a JavaScript package manager, and is widely used to include external libraries from the Node.js runtime in any software.
It is developed by npm, a subsidiary of GitHub, which is in turn owned by Microsoft.
Hackers have been caught in the past attempting to insert malicious code into npm, notably at the beginning of this year, when attackers added the malicious package 1337qq-js to npm, uploading it on 31 December.
The package targeted Unix systems, from which attempted to steal information via install scripts. It was removed after being reported by Microsoft’s Vulnerability Research team on 13 January.
In June of last year, npm said it foiled an attempt to compromise the Agama cryptocurrency wallet via a malicious npm package.
“The attack was carried out by using a pattern that is becoming more and more popular; publishing a ‘useful’ package… to npm, waiting until it was in use by the target, and then updating it to include a malicious payload,” npm said at the time.
Npm said its internal security tools alerted it to the threat, after which it contacted Komodo, the cryptocurrency platform that had acquired Agama’s developer, and removed the malicious package from its systems.
Even so, Komodo said attackers had succeeded in gaining control of about 1 million KMD, currently the equivalent of about £580,000.
Komodo said a hacker had spent “several months” making useful contributions to the Agama repository on GitHub before inserting the malicious code.
“Eventually, the hacker added malicious code to an update of a module that Komodo’s Agama was already using,” Komodo said at the time.
In 2018 hackers targeted a popular JavaScript library called event-stream, also via npm, in an effort to steal funds from cryptocurrency wallets.
Legal headache deepens for TikTok in US, after a number of states file lawsuits alleging…
After HBO documentary names Canadian crypto expert Peter Todd as Bitcoin inventor – but he…
Supreme Court clears X to resume access in Brazil, after high profile clash between top…
US Department of Justice mulls asking judge to force Google to sell parts of its…
US Supreme Court declines to hear appeal from X, formerly Twitter, over nondisclosure order attached…
US federal judge orders Google to undertake wide range of measures allowing third-party app stores…