This article is more than 1 year old
Cookie code compromise caper caught and crumbled
Ploy to plant malware in NPM's JavaScript registry foiled
NPM, the biz responsible for the Node Package Manager for JavaScript and Node.js, has caught a miscreant trying to tamper with web cookie modules on Wednesday and managed to exile the individual and associated code before significant harm was done.
It's a good sign for the code registry which over the past few years has had to clean up several security snafus tied to its increasingly popular collection of libraries.
In January, NPM mistakenly removed a developer's account due to a failure to review sanctions suggested by an automated anti-spam system. And in August last year, NPM missed a typosquatting attack that went on for two weeks.
This time, the process was a bit more surgical.
"Early May 2nd, the NPM security team received and responded to reports of a package that masqueraded as a cookie parsing library but contained a malicious backdoor," security engineer Adam Baldwin disclosed in a blog post. "The result of the investigation concluded with three packages and three versions of a fourth package being unpublished from the NPM registry."
The backdoored package was called getcookies. Two other packages were involved, express-cookies, which included getcookies, and http-fetch-cookies, which included express-cookies (and therefore getcookies). The fourth package, mailparser, incorporated http-fetch-cookies in three sequential versions.
The backdoor was designed to scan HTTP request.headers, looking for a command string. Were someone to set up a web application using the Express.js framework and one of the compromised modules, an attacker could submit a remote command as a web request and potentially execute arbitrary code under the same privilege level as the application.
As a result of its investigation, NPM removed the account of dustin87, associated with the malicious code, and unpublished getcookies, express-cookies and http-fetch-cookies. It also removed three versions of mailparser (2.2.3, 2.2.2, and 2.2.1) that incorporated the unsafe http-fetch-cookies module and reset the NPM tokens tied to mailparser to prevent the appearance of more unauthorized variants.
The mailparser module, said Baldwin, has been deprecated – meaning it's no longer recommended and should be removed from production code when possible – but it still gets downloaded 64,000 times a week.
Playing the long game
In a phone call with The Register, Baldwin said he believed the attack represented an effort to inflate the download counts of express-cookies and http-fetch-cookies, to make them appear popular enough that developers would chose to use one in conjunction with Express.js, a popular JavaScript framework for making web applications.
The scheme involved including http-fetch-cookies in mailparser but not actually using it, in order to inflate its apparent popularity and boost its legitimacy.
Baldwin speculates that the attacker somehow obtained credentials for mailparser and used those to publish versions with the compromised code.
Baldwin claims no packages published to the NPM registry incorporated the malicious modules in a way that would have allowed the backdoor to function.
However, if a developer created an Express.js application and included one of the malicious modules, that application could be accessible through the backdoor.
"We believe that the attacker likely would have used another application to create payloads to be used with this backdoor," said Baldwin in an email to The Register.
"The goal of these backdoored modules was to look legitimate enough to be included in Express-based applications; once deployed, the attacker then could have remotely executed commands on those systems through this backdoor."
Aware of that it attracts troublemakers, NPM has been hardening its security posture. Last month, it acquired ^Lift Security, the group that developed the Node Security Platform and included Baldwin. Last week, it rolled out npm@6, which includes security features like alerts when attempting to install vulnerable modules and an "audit" command.
Baldwin explained that NPM's registry now has almost 700,000 packages and almost 10 million users, making it a magnet for those seeking to distribute malware.
"We’ll continue to see people attempt to publish software like this," he said. "The thing to remember here is that anybody can publish some piece of code to the NPM registry, but this is not a guarantee that others will use it – or, even if they use it, that they will use it in a way that leads to a malicious outcome." ®
Biting the hand that feeds IT
