Researchers uncovered a malicious NPM package that steals a Google Chrome password by abusing the legitimate password recovery tool.
A Malicious NPM package was targeted the software developers by abusing the legitimate third-party tool known as ” ChromePass “, a tool to recover the password from the Chrome browser.
The author of this package goes by the name chrunlee who has actively developed nearly 61 repositories in GitHub, also the GitHub repository has been linked to the website hxxps://chrunlee(.)cn where the actors actively posting articles.
Researchers from Reversinglab found that this package has 12 published versions, in total over 1,283 downloads since the package was initally published at the end of February 2019.
NPM Package Stealing Passwords
Malicious activities from the NPM package “chrunlee ” were found during the scan of public packages, and it perfects several malicious attempts on software developers.
Researchers uncovered a ChromePass utility with the name of “a.exe” that was located inside the “lib” folder.
ChromePass tool wasn’t malicious but the attacker abusing it to perform the password-stealing and credential exfiltration as it is also can be run from the command line interface.
There are nearly 12 versions that got published for this malicious NPM package with 1,283 downloads since 2019, when the first version of this package got published.
From the second version of this package, attackers started improving the functionality and added a remote shell adding a script to download the aforementioned password-stealing tool when the package got upgraded to version 1.1.0.
” In versions 1.1.1 and 1.1.2, this script was modified to run TeamViewer.exe instead, probably because the author didn’t want to have such an obvious connection between the malware and their website,” Researchers said.
In order to steal the credentials, attackers trick users to execute the malicious package using the typosquatting technique through which the malicious package will be installed into the victim’s system.
Once the package has been successfully installed and executed, persistence is accomplished by installing the lib/test.js script as a Windows service.
This windows service opens a port 7353 to listen to the incoming commands includes directory content listing, file lookup, file upload, shell command execution and screen, and camera recording.
Finally, attackers execute the Shell command through the ChromePass hack-tool that was previously downloaded.
Researchers found that the NPM download stats show that this package has been downloaded more than 35,000 times.
Indicators of Compromise
Affected packages and SHA1: