Horrible to contemplate: the backdoor code was hidden in the NPM module and almost succeeded

No software package in NPM Registry can use a malicious module in a way that triggers a backdoor, and while the ability of an application not published to Registry to use a malicious module directly is small, it is beyond our scope of analysis.

Initial reports from the community suggest that the package Getcookies, which express-cookies and HTTP-fetch -cookies rely on, has hidden backdoor programs, Mailparser relies on http-fetch-cookies.

After receiving the report, NPM’s security team began to diagnose it. The purpose of the diagnosis is to determine whether the packages mentioned in the report actually contain malicious code and, if so, how widespread their impact will be.

We won’t disclose everything about the backdoor program here, but we will give some highlights of what we learned during our review.

The backdoor parses the HTTP Request. headers provided by the user to look for formatted data that specifically provides three different commands for the backdoor.

JSON.stringify(req.headers).replace(/g([a-f0-9]{4})h((? :[a-f0-9]{2})+)i/gi, (o, p, v) => {})

Here we can see that the header file is stringed and the search results are in the format: gCOMMANDhDATAi

Available control flow codes:

0xFFfe – Resets code buffer
0xFFFA – Runs the code inside the buffer by calling vm.runInThisContext and providing the module.exports, require, req, RES, and next arguments.
Default – Loads the remote code into memory to run.

These control codes allow an attacker to input arbitrary code into a running server.

In addition to the backdoor code, other aspects of these modules also raised concerns:

Based on a reverse image search, the profile image on the user Posting getcookies looks like a stock photo.
The NPM packages that GitHub users linked to were created in March.
The number of downloads of getcookies, Express-cookies, and HTTP-fetch -cookies spiked a few weeks ago, which seems to be related to the MailParser version that relies on HTTP-fetch -cookies.

Although mailParser has been deprecated, it is still being downloaded 64,000 times a week. After investigation, we found that the released version of MailParser that relies on HTTP-fetch cookies does not use the module in any way. Thus eliminating the risk of backdoor procedures. We speculate that http-fetch-cookies required by MailParser will either be attacked in the future or increase the legitimacy of Express-cookies in order to increase the number of downloads.

As a result, MailParser users have not been affected in the past, and only users who directly need and use express-cookies or Getcookies packages are affected.

In response, NPM officially took the following measures:

Delete dustin87 user and undo publish getCookies, Express-cookies and HTTP-fetch -cookies;
Removed three versions of MailParser that relied on the HTTP-fetch -cookies module;
Reset NPM Tokens for MailParser authors to prevent unauthorized distribution.

Back in August 2017, the NPM team removed 38 JavaScript NPM packages that had stolen environment variables from an infected project. At present, NPM Registry has nearly 700,000 packages and 10 million users, enough to attract the attention of attackers.

Last month, NPM acquired ^ Lift Security and Node Security Platforms and added Baldwin to the NPM team. Dedicated to solving security issues for NPM Registry and NPM applications. They also added security features to the recently released NPM 6, such as automatic alerts when untrusted or vulnerable modules are installed.

https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies

Horrible to contemplate: the backdoor code was hidden in the NPM module and almost succeeded

Related Posts

Wechat small program circle of friends to share the picture generation scheme

Micro front end practice TWO

Why can the browser read the Process object, and why can the process object print without the client attribute?