Npm (Node.js Package Manager) devs say the npm command-line interface (CLI) client is impacted by a security bug — a combination between a file traversal and an arbitrary file (over)write issue.
The bug can be exploited by attackers to plant malicious binaries or overwrite legitimate apps on a user’s computer. What files can be written/planted is at the attacker’s whim, depending on what they’re trying to achieve.
The vulnerability can be exploited only during the installation of a boobytrapped npm package via the npm CLI.
“However, as we have seen in the past, this is not an insurmountable barrier,” said the npm team, referring to past incidents where attackers planed backdoored or boobytrapped packages on the official npm repository.
No signs of attacks
Npm devs say they’ve been scanning the npm portal for packages that may contain exploit code designed to exploit this bug, but have not seen any suspicious cases.
“That does not guarantee that it hasn’t been used, but it does mean that it isn’t currently being used in published packages on the [official npm] registry,” npm devs said.
“We will continue monitoring,” they added. “However, we cannot scan all possible sources of npm packages (private registries, mirrors, git repositories, etc.), so it is important to update as soon as possible.”
The npm and yarn teams credited German security researcher Daniel Ruf with discovering this vulnerability. An in-depth technical report is available on Ruf’s blog.
Npm’s importance in the JS ecosystem
Hackers upload boobytrapped libraries on npm in the hopes legitimate projects will use them. They also hijack npm accounts of known developers and then plant malicious code inside popular libraries. The end goal is to launch attacks or plant backdoors inside apps built with the boobytrapped npm packages, which they can later use to steal data from those apps’ users.
There have been many such cases in the past. In July 2018, a hacker compromised the ESLint library with malicious code that was designed to steal the npm credentials of other developers.
In May 2018, a hacker tried to hide a backdoor in another popular npm package named getcookies.
Cryptocurrency users are often targets
Attackers often backdoor npm libraries or create boobytrapped clones, to plant their code inside wallets, and then steal user funds.
For example, in June this year, the npm found malicious code inside an npm package that was designed to steal cryptocurrency wallet seeds and other login passphrases specific to cryptocurrency apps. The library was used by a cryptocurrency startup that chose to hack itself before hackers could exploit the bug for themselves.
Another similar attack happened in November 2018 when hackers backdoored a npm package used by the Copay desktop and mobile wallet apps so they could steal bitcoins from its users.
The vulnerability patched today is dangerous enough to enable such attacks on developers of cryptocurrency wallets, and their respective users.