NPM Package Caught Stealing Passwords Using Chrome Account-Recovery Tool

by | July 30, 2021 | Cybersecurity News

As part of another complex supply-chain attack, password-stealing malware was found hiding in the npm open-source code repository. The code steals passwords from Chrome on Windows systems.

Researchers found that the malicious piece of code exploits actual password recovery tools in Google’s Chrome web browser. The malware seems to be also multifunctional, enabling the attacker to record from the victim’s screen and camera, execute shell commands and upload files.

What is NPM?

NPM (short for Node Package Manager) is the default package manager for the JavaScript runtime environment Node.js, which is built on Chrome’s V8 JavaScript engine.

NPM hosts an astonishing 1.5 million unique packages and delivers more than 1 billion requests for JavaScript packages in a day to approximately 11 million developers all over the world.

Exploiting Google ChromePass Tool to Snatch Passwords

NPM contains many types of executable files, such as PE, ELF, and Mach-O. Researchers from ReversingLabs stated in a recent post that they’d uncovered an intriguing embedded Windows executable file: a password-stealer labeled “Win32.Infostealer.Heuristics”. The file was found in two packages: nodejs_net_server and temptesttempfile.

The main threat seems to be the first package, nodejs_net_server, with 12 released versions and more than 1,300 downloads since February 2019, when it was published first. Someone under the name “chrunlee made the last update.” The developer is also active on GitHub, where they work on 61 repositories.

A password-stealing malware was found in a NPM package.
nodejs_net_server package summary. Credit: ReversingLabs.
chrunlee’s github profile. Credit: ReversingLabs.

Researchers found the Win32.Infostealer.Heuristics file in various versions of the nodejs_net_server package. The file’s original name was “a.exe,” and it was located in the “lib” folder. a.exe turned out to be a utility called ChromePass, which is a legitimate recovery tool that retrieves credentials stored in a Chrome web browser.

Chrunlee upgraded the malicious package with a script to download the password-stealer last December. The developer hosts the malware on a personal website. It was subsequently tweaked to run TeamViewer.exe instead, “probably because the author didn’t want to have such an obvious connection between the malware and their website,” ReversingLabs researchers theorized.

The second package, temptesttempfile, sums up over 800 downloads. This one left researchers in the dark since “homepage and GitHub repository links to this package lead to non-existing webpages,” the analysts observed. The purpose of this particular package remains unclear, according to researchers.

Oops! The Hacker Accidentally Exposed Their Own Credentials

Blame it on karma, but chrunlee mistakenly published their own, stored login passwords and usernames, side by side with the password snatching code.“It appears that the published versions 1.1.1 and 1.1.2 from the npm repository include the results of testing the ChromePass tool on the author’s personal computer. These login credentials were stored in the ‘a.txt’ file located in the same folder as the password-recovery tool, named ‘a.exe.’”

“It appears that the published versions 1.1.1 and 1.1.2 from the npm repository include the results of testing the ChromePass tool on the author’s personal computer. These login credentials were stored in the ‘a.txt’ file located in the same folder as the password-recovery tool, named ‘a.exe’.”


Another funny thing is that the text file contains 282 login credentials from chrunlee’s browser, with lame passwords like “111” and usernames such as “admin.”

User account data chrunlee recovered from their own browser. Credit: ReversingLabs.

Problem Packages Are Now Removed

After discovering the two threats, ReversingLabs contacted the NPM security team on July 2 and let them know about nodejs_net_server and temptesttempfile. Unfortunately, the team failed to remove the packages from the repository the first time, so ReversingLabs reached them once again last week.

A GitHub representative stated that “Both packages were removed following our investigation.”

Not The First NPM Hijack

NPM has been infected with poisonous code before. Earlier this year, three malware packages were published to NPM. They were stealing tokens and other information from Discord users.

Two other attacks took place in 2018: in July, an attacker compromised the login information of an ESLint maintainer and published malicious versions of the popular  “eslint-scope” and “eslint-config-eslint.”

in November 2018, another malicious package was found: it was a dependency to version 3.3.6 of the popular package, “event-stream.” The malicious package, called “flatmap-stream,” contained an encrypted payload tailored to steal Bitcoins from the Copay application.

Security Awareness Training is a key factor in keeping your company safe from online dangers.

Today is the day to stop risking your business’s future and get your quote for ATTACK Simulator’s solid and comprehensive Security Awareness Training Program.





Image by Gino Crescoli from Pixabay

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.