The two packages named jdb.js and db-json.js were created by the same author and were posing as the legitimate jdb and db-json libraries. The two packages were downloaded nearly 100 times before they were discovered by researchers at Sonatype.
The analysis of the malicious jdb.js package revealed that it contained three files: package.json (the manifest file), module.js (an obfuscated script), and patch.exe (Windows executable containing the njRAT payload).
The package.json manifest file contained within the package launched module.js as soon as the package was installed. The module.js script is able to perform multiple activities such as reconnaissance of the infected machine and data gathering, and it also launches patch.exe which is an njRAT dropper written in .NET.
“By infecting a host with this malware, a remote attacker gains the ability to log keystrokes, modify registry values, initiate system shutdown or restart at will, edit web browser (IE) start page, “speak” to the user via text-to-speech synthesis (via SAPI.Spvoice), kill or relaunch critical system processes like task manager, system restore, and PING, in addition to taking control of hardware devices like CD drives, monitors, mouse, keyboard, etc,” Sonatype said.
While only jdb.js contained malicious behavior, the researchers said the db-json package is more concerning because it might be harder for a human and a machine to spot immediately.
“The package “db-json.js” appears clean on a first glance as it contains functional code one would expect from a genuine JSON DB creation package. Yet, it is secretly pulling in the malicious “jdb.js” as a dependency,” Sonatype explained.
Web developers who installed any of the two above mentioned packages should consider their systems as fully compromised, the npm security team warned.
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the team said. “The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.”