Researchers uncovered a malicious NPM package that steals a Google Chrome password by abusing the legitimate password recovery tool.

NPM is the largest package manager for Node Javascript that contains nearly 1.5 million packages with more than 20 million package downloads for every month.

A Malicious NPM package was targeted the software developers by abusing the legitimate third-party tool known as ” ChromePass “, a tool to recover the password from the Chrome browser.

The author of this package goes by the name chrunlee who has actively developed nearly 61 repositories in GitHub, also the GitHub repository has been linked to the website hxxps://chrunlee(.)cn where the actors actively posting articles.

Researchers from Reversinglab found that this package has 12 published versions, in total over 1,283 downloads since the package was initally published at the end of February 2019.

NPM Package Stealing Passwords

Malicious activities from the NPM package “chrunlee ” were found during the scan of public packages, and it perfects several malicious attempts on software developers.

The NPM package contains several types of executable files (PE, ELF, MachO along with Javascript files including several versions of the nodejs_net_server package that is a primary focus in this research.

Researchers uncovered a  ChromePass utility with the name of  “a.exe” that was located inside the “lib” folder.

ChromePass tool wasn’t malicious but the attacker abusing it to perform the password-stealing and credential exfiltration as it is also can be run from the command line interface.

Functionality Improvement

There are nearly 12 versions that got published for this malicious NPM package with 1,283 downloads since 2019, when the first version of this package got published.

From the second version of this package, attackers started improving the functionality and added a remote shell adding a script to download the aforementioned password-stealing tool when the package got upgraded to version 1.1.0.

” In versions 1.1.1 and 1.1.2, this script was modified to run TeamViewer.exe instead, probably because the author didn’t want to have such an obvious connection between the malware and their website,” Researchers said.

In order to steal the credentials, attackers trick users to execute the malicious package using the typosquatting technique through which the malicious package will be installed into the victim’s system.

Once the package has been successfully installed and executed, persistence is accomplished by installing the lib/test.js script as a Windows service.

This windows service opens a port  7353 to listen to the incoming commands includes directory content listing, file lookup, file upload, shell command execution and screen, and camera recording. 

Finally, attackers execute the Shell command through the ChromePass hack-tool that was previously downloaded.

Researchers found that the  NPM download stats show that this package has been downloaded more than 35,000 times. 

Indicators of Compromise

Affected packages and SHA1:

nodejs_net_server-1.0.0: f79e03d904fafc5171392d2e54e10057780f9c25
nodejs_net_server-1.0.1: 9027433ef11506f349e9d89ec83d8050e669e3fb
nodejs_net_server-1.0.2: af2ec5a8e2a873e960f38d16e735dd9f52aa1e8b
nodejs_net_server-1.0.3: 41b56bd5b7aaf6af3b9a35a9e47771708fddc172
nodejs_net_server-1.0.4: 3128ebd6c3e89dc2b5a7ecf95967a81a4cdde335
nodejs_net_server-1.0.5: eb9cfe52e304702f1cf0fb1cc11dfc3fb1b0eab7
nodejs_net_server-1.0.6: 4b518b15db29eb9a0d8d11d1642f73e9da1275ca
nodejs_net_server-1.0.7: afe203e2d2cb295955915ba04edb079ae7697c62
nodejs_net_server-1.0.8: 6e9b1d8ce1bb49f0abc3bea62e0435912d35b458
nodejs_net_server-1.1.0: 9bf160389b0401435a2e5f8541688c1d5f877896
nodejs_net_server-1.1.1: 1be0fa1d44859e4c0bafc8317c1da1d4e897c1cc
nodejs_net_server-1.1.2: 3cb0aeed9f260d38504677c834a5878b4eb59dc2
tempdownloadtempfile-1.0.0: ffbefb79bd6b72a0e42bc04e03b9f63aa9e859e5