Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security

Three npm Packages Opened Remote-Access Shells on Linux and Windows Systems (zdnet.com) 65

"Three JavaScript packages have been removed from the npm portal on Thursday for containing malicious code," reports ZDNet.

"According to advisories from the npm security team, the three JavaScript libraries opened shells on the computers of developers who imported the packages into their projects." The shells, a technical term used by cyber-security researchers, allowed threat actors to connect remotely to the infected computer and execute malicious operations. The npm security team said the shells could work on both Windows and *nix operating systems, such as Linux, FreeBSD, OpenBSD, and others.

All three packages were uploaded on the npm portal in May (first) and September 2018 (last two). Each package had hundreds of downloads since being uploaded on the npm portal. The packages names were:

plutov-slack-client
nodetest199
nodetest1010

"Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer," the npm security team said.

This discussion has been archived. No new comments can be posted.

Three npm Packages Opened Remote-Access Shells on Linux and Windows Systems

Comments Filter:
  • Oh come ON (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Sunday October 18, 2020 @07:06PM (#60623102)

    ”The shells, a technical term used by cyber-security researchers, allowed threat actors to connect remotely to the infected computer and execute malicious operations.“

    Gee, thanks for a (very poor) explanation of what a “shell” is.

    Seriously, Slashdot?

  • Dependency Graph (Score:5, Insightful)

    by bill_mcgonigle ( 4333 ) * on Sunday October 18, 2020 @07:37PM (#60623168) Homepage Journal

    Hey, npm, nobody is installing those manually.

    The responsible thing to do is work your logs and build the reverse dependency graph of what was including them. Admins can act on that and CVE can do its thing.

    If none, we can perhaps conclude that npm was 'just' being used as a malware distribution problem. Which is way better.

    What's never going to happen is that every time npm discovers a problem every admin everywhere who has some dev who's touched npm is going to scour their systems.

  • Who didn't see that one coming? It's going to happen with pip sooner or later.

    • pypi.org seems to be trying to be cautious about reviewing packages before posting them, but it is a real risk. ant and maven pulling in jar viles, riubygems, and perl modules with CPAN all have the same issues. It's a recurring problem when developers each insist on their own unique new package management system.

      • by Jahta ( 1141213 )

        pypi.org seems to be trying to be cautious about reviewing packages before posting them, but it is a real risk. ant and maven pulling in jar viles, riubygems, and perl modules with CPAN all have the same issues. It's a recurring problem when developers each insist on their own unique new package management system.

        Well there are problems with languages using the package management systems of distros. For example, in quite a few distros the maintainers use python for various plumbing/maintenance tasks. If you are a python developer, this means that you either (a) are stuck with the distro's python version and the (usually limited) set of modules in the distro's repo or (b) use python virtual environments and pip-install the modules you need (and possibly alternate python versions).

        • Having a stable base python and associated sytem modules one has to work within is the cost that goes with _having_ a stable system release and associated components one can consistently rely on, and avoid unpredictable incompatibility with upgraded modules pulled in by other components.

          The incompatibility can usually be worked around by defining a separate space for the variant python. and using "virtualenv" or other alternative python handling tools judiciously. Similar approaches have worked for CPAN and

          • by Jahta ( 1141213 )

            Having a stable base python and associated sytem modules one has to work within is the cost that goes with _having_ a stable system release and associated components one can consistently rely on, and avoid unpredictable incompatibility with upgraded modules pulled in by other components.

            I agree there are real benefits in having a stable distro; I'm using a distro based on Debian stable myself. But it is useful to have a way to maintain an alternative, more current, set of developer tools in userland; hence the need for things like pip for python.

  • Use a GUI, not a shell. Haven't you seen any movies?

  • Node needs to build a permission system so libraries can be limited what they can and cant do. Crazy that every lib that is reference can do anything they like.
    • What programming language allows you to limit what a *library* can and can't do? Java doesn't (it has security managers but they don't recognize library boundaries), C++ doesn't, PHP doesn't, Python doesn't. Libraries running in the same security context as the caller is not crazy, it's the norm.
      The fact that Javascript is particularly bad for security (as well) is another discourse.
      • Javas security managers are still better than the nothing of Node. I appreciate basically nobody uses them (security manager in java) but at least you can limit file system paths, network access and so on. With Node anything goes and theres not a thing you can do about it.
        • With Node you can just patch the fs module if you want to lock it down. This approach is used for mocking filesystems in unit tests. Most other modules are pretty similar. There's nothing here that is specific to JavaScript or npm. This is what open source software development looks like.

          • Thats like plastic recycling, you can recycle, but in the end enough dont, and with large numbers of developers and other types that ends up being a very big number.
  • Sounds like a lot of corporate slacks are even more compromised than they already were.

    Imagine making a developer sign a 12 page NDA on hiring.. Then doing all your development work on a public free slack server.

  • by ponraul ( 1233704 ) on Monday October 19, 2020 @10:06AM (#60624852)
    It's just another world in 2020. If Perl were still the lingua franca of scripting we'd definitely be seeing malware and typosquatting in CPAN.

The trouble with being punctual is that nobody's there to appreciate it. -- Franklin P. Jones

Working...