Malicious Code Invasion: 10 npm Packages Turned Info-Stealers Overnight!

Yesterday, ten npm packages went rogue with malicious code, targeting crypto-related projects and stealing environment variables like they were secret recipes. The most popular victim, “country-currency-map,” was downloaded thousands of times. Researchers suggest compromised maintainer accounts, proving once again that old passwords are like expired milk—dangerous and best avoided.

3P
Published: March 27, 2025 8:24 pmAdded: March 27, 2025 at 1:41 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

Looks like npm just got a makeover from the dark side! With malicious code slipping into popular packages like a ninja in a library, developers need to stay vigilant. Because nothing screams ‘I love coding’ like sharing your precious API keys and cloud credentials with some random guy on the internet!

Key Points:

  • Ten npm packages were updated with malicious code targeting sensitive data.
  • The campaign focused on cryptocurrency-related packages, including the popular ‘country-currency-map’.
  • The malicious code was found in two scripts that execute upon package installation.
  • The attack is likely due to compromised npm maintainer accounts.
  • Maintainers of older packages may not be actively involved, leading to vulnerabilities.

npm Drama: Malicious Code Strikes Again!

In the latest episode of “As the Code Turns,” ten npm packages were sneakily updated with malicious code designed to rob developers of their sensitive information. This sneaky campaign primarily targeted packages related to cryptocurrency, which makes sense because, let’s be honest, who wouldn’t want a piece of that digital gold rush? The ‘country-currency-map’ package, a popular choice among developers, was one of the main packages hit, with thousands of downloads per week. It’s like throwing a party and inviting a bunch of data thieves who help themselves to your secret stash of API keys and cloud credentials.

Meet the Usual Suspects: Scripts of Doom

The investigation into this code caper was led by Sonatype’s very own cyber-sleuth, Ali ElShakankiry. His keen eye uncovered two heavily obfuscated scripts named “/scripts/launch.js” and “/scripts/diagnostic-report.js,” which execute their dastardly deeds the moment the package is installed. These scripts were busy bees, sending environment variables straight to a remote host like they were postcards from a tropical vacation. Environment variables, for those not in the know, are like the Pandora’s box of developer secrets, holding API keys, database credentials, and more – all ripe for plundering.

Clueless Maintainers and the Mystery of Compromised Accounts

Ax Sharma, a malware analyst and part-time detective, pointed out that the malicious code was identical across all affected repositories, suggesting a compromise of the npm maintainer accounts. This makes sense considering the packages had been on their best behavior for years. The likely culprits? Credential stuffing, where hackers reuse old usernames and passwords, or an expired domain takeover. It’s like leaving your front door wide open and wondering why you’re missing a TV. The simultaneous attacks on multiple packages suggest a maintainer takeover rather than a sophisticated phishing scheme. So, watch out, Sherlock!

The Rogue’s Gallery: Packages Gone Bad

Here’s the lineup of our npm package rogues: ‘country-currency-map’, ‘@keepkey/device-protocol’, ‘bnb-javascript-sdk-nobroadcast’, ‘@bithighlander/bitcoin-cash-js-lib’, ‘eslint-config-travix’, ‘babel-preset-travix’, ‘@travix/ui-themes’, ‘@veniceswap/uikit’, ‘@crosswise-finance1/sdk-v2’, and ‘@veniceswap/eslint-config-pancake’. While ‘country-currency-map’ has seen a quick cleanup with its malicious version being deprecated, the rest are still out there like digital bandits, ready to infect unwary projects.

Oldies but Goodies: Packages in Retirement

It seems some of these packages are like the retired folk of the npm world, living out their golden years with little oversight from their creators. This lack of active involvement from maintainers opens the door for security breaches. Even though npm has made two-factor authentication a must for popular projects, older packages that haven’t seen an update in years are still vulnerable. It’s like leaving a classic car in a rough neighborhood with the keys in the ignition – you’re just asking for trouble.

In conclusion, the npm community is reminded once again of the importance of vigilance and security, especially with older packages that might not have the same level of oversight as newer ones. So, the next time you’re about to install an npm package, remember to check for any signs of malicious activity, because you never know when a seemingly innocent piece of code might turn into a digital heist. Stay safe, coders!

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?