The Node Package Manager (npm) team avoided a disaster today when it discovered and blocked the distribution of a cleverly hidden backdoor mechanism inside a popular —albeit deprecated— JavaScript package.

The actual backdoor mechanism was found in "getcookies," a relatively newly created npm package (JavaScript library) for working with browser cookies.

The npm team —who analyzed this package earlier today after reports from the npm community— says "getcookies" contains a complex system for receiving commands from a remote attacker, who could target any JavaScript app that had incorporated this library. The npm team explains:

The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor.

[...]

We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi

According to the npm team, the backdoor "allowed for an attacker to input arbitrary code into a running server and execute it."

The original backdoored module was imported in other packages

But things didn't end here. The "getcookies" library was new and not that popular, being included in very few projects.

The npm team says it discovered a nested dependency chain through which the "getcookies" package had indirectly made it into the structure of a much popular library called "Mailparser."

mailparser └── http-fetch-cookies └── express-cookies └──getcookies

Mailparser is an npm package for parsing email data using JavaScript. This is an old library, and one that's been deprecated in favor of a newer one named "Nodemailer."

But despite being abandoned, the library has not been unpublished from the npm package index, as there are older applications that still use it in their build chains. At the time of writing, the Mailparser npm page listed over 66,000 weekly downloads.

No attacks reported

"We speculate that mailparser’s requiring http-fetch-cookies was to execute an attack in the future or to inflate download counts of express-cookies to add to its legitimacy," the npm team said today in an incident response report.

Investigators also suggest that no attacks to exploit the backdoor appear to have taken place because the "no packages published to the npm Registry used the malicious modules in a way that would have allowed the backdoor to be triggered."

Npm index maintainers appear to have caught a future supply-chain attack before it happened. The npm team has also removed the "dustin87" user behind the attack and unpublished the getcookies, express-cookies, and http-fetch-cookies packages.

They've also rolled Mailparser to v2.2.0, removing three versions (2.2.3, 2.2.2, and 2.2.1) that contained the http-fetch-cookies malicious package.

There have been previous incidents

Back in August 2017, the same npm team removed 38 JavaScript npm packages that were caught stealing environment variables from infected projects.

Something similar happened on PyPI — Python Package Index — the official third-party software repository for the Python programming language. Back in September 2017, the Slovak National Security Office (NBU) found and reported ten malicious Python packages on PyPI, which were promptly removed.