Password stealing malware hidden in open source software – what to do


Malicious malware that steals passwords from Google Chrome and can also take screenshots and use laptop cameras has been hidden since December 2020 in a widely used software repository, and it’s unclear how many applications and other programs may have become infected as a result of this “supply chain”.

The malware has been removed from the software repository, but the damage is already done. If you happened to run software that unbeknownst to the software developers contained this hidden malware, you may have been spied on and your passwords stolen. Unfortunately, we don’t yet know what was built using these corrupted components.

You may never really know if your passwords have been stolen or if your privacy has been compromised in this way. But the incident highlights the dangers of letting your web browser save passwords, because browsers are still too easy to crack.

Instead of saving passwords in your browser, use one of the best password managers, or just write your passwords down in a book or on a piece of paper and keep it in a safe place.

A twisted story of abused trust

According to a blog post posted yesterday (July 21) by Boston-area security firm Reversing Labs, the malware abuses a free and legitimate Windows password recovery tool called ChromePass which, like the The ChromePass page states, “Allows you to view usernames and passwords stored by the Google Chrome web browser.”

ChromePass itself is nice and useful, although it shows how easy it is to recover saved passwords from Chrome. (It’s also reported as malware by most of the top antivirus programs.)

So how did the malware get into the software repository? It’s complicated, but we’ll try to keep it short.

Many applications are truly web browsers

Hundreds of desktop apps, including Discord, Microsoft Teams, Slack, and Spotify, are built using web browser technology. (That doesn’t mean they’ve been infected.) These apps are sort of modified versions of Chromium, the open source browser used as the base for Chrome, Microsoft Edge, Opera, and other web browsers.

They and thousands of other software depend on JavaScript, a software language developed in 1995 for Netscape Navigator, the first widely used web browser. JavaScript is very versatile and easy to use, and it’s now widely used outside of browsers for all kinds of purposes.

To run JavaScript outside of a browser, many developers use something called Node.js. The largest code repository for Node.js is called Node Package Manager, or NPM.

NPM is not only a code cache, but also an application through which you can grab over a million JavaScript “packages”, modular pieces of JavaScript that you can then use as building blocks while developing your. software. Some of these plans are chargeable, but most are free.

Trapped software

Anyone can contribute a package to NPM, and that includes people for malicious purposes. In this case, someone created a free but bogus JavaScript package called “nodejs_net_server” that contained the ChromePass password extractor and added it to NPM. This malicious package could also take screenshots and use a PC’s webcam.

A second malicious JavaScript package with much less capability, called “tempdownloadtempfile”, has been uploaded to NPM by the same person.

According to Reversing Labs, Bleeping Computer, and ThreatPost, these two packages were downloaded by software developers nearly 1,300 times and over 800 times, respectively.

There is little chance that these developers really understood what they were getting. But when nodejs_net_server is installed on a developer’s PC, it integrates into a widely used JavaScript package called “jstest” to ensure that it cannot be removed.

At this point, we don’t know how much software, including desktop apps, has been created using these malicious JavaScript packages. We don’t know how many end users were spied on. We may learn more in the days and weeks to come.

But the result is this: don’t save your passwords, especially sensitive passwords that can unlock bank accounts, online messaging services, or social media accounts, in your web browser.

Use a password manager. And use one of the best Windows 10 antivirus programs to detect at least some of the malicious packages.


Leave A Reply