The Node Package Manager (npm) squad avoided a disaster when it discovered too blocked the distribution of a cleverly hidden backdoor machinery within a pop —albeit deprecated— JavaScript package.
npm of npm, Inc. is at JavaScript what the famous Maven of the Apache Foundation is inward Java. It provides application lifecycle management tools, too it relies on a bundle registry to efficiently deal the runtime too evolution dependencies of JavaScript projects, whether backend or frontend.
The actual backdoor machinery was institute inward "getcookies," a relatively newly created npm bundle (JavaScript library) for working amongst browser cookies. The npm squad analyzed this package. The squad reports nation that getcookies contain a complex organisation to have commands from a remote aggressor that could target whatever JavaScript application that has embedded this library. The npm squad explains: The backdoor plant past times parsing HTTP request. user-provided headers looking for specifically formatted data.
The npm squad explains:
“The backdoor worked past times parsing the user-supplied HTTP request.headers, looking for specific formatted information that provides 3 dissimilar commands to the backdoor. We tin hand the sack come across hither that the headers are stringified too the final result searched for values inward the format of: gCOMMANDhDATAi.”
According to the npm team, the backdoor "allowed an aggressor to teach inward arbitrary code on a electrical flow server.
But things didn't halt here. The master backdoor module has been imported into other packages. The "getcookies" library was novel too non that popular, existence included inward real few projects. The npm squad says that it discovered a chain of nested dependencies through which the getcookies bundle was indirectly business office of the construction of a real pop library called Mailparser.
Mailparser is an npm bundle for parsing e-mail information using JavaScript. This is an quondam library, too 1 that's been deprecated inward favour of a newer 1 named "Nodemailer."
