Malicious NPM Package Caught Stealing Users' Saved Passwords From Browsers


Level 8
Aug 2, 2020
A software package available from the official NPM repository has been revealed to be actually a front for a tool that's designed to steal saved passwords from the Chrome web browser.
The package in question, named "nodejs_net_server" and downloaded over 1,283 times since February 2019, was last updated seven months ago (version 1.1.2), with its corresponding repository leading to non-existent locations hosted on GitHub.

"It isn't malicious by itself, but it can be when put into the malicious use context," ReversingLabs researcher Karlo Zanki said in an analysis shared with The Hacker News. "For instance, this package uses it to perform malicious password stealing and credential exfiltration. Even though this off-the-shelf password recovery tool comes with a graphical user interface, malware authors like to use it as it can also be run from the command line."

While the first version of the package was published just to test the process of publishing an NPM package, the developer, who went by the name of "chrunlee", made revisions to implement a remote shell functionality which was improvised over several subsequent versions.

This was followed by the addition of a script that downloaded the ChromePass password-stealing tool hosted on their personal website ("hxxps://"), only to modify it three weeks later to run TeamViewer remote access software.

Update: The offending NPM package has now been pulled from the repository, with a GitHub spokesperson telling The Hacker News that "We removed the package in accordance with npm's acceptable use policy regarding malware, as outlined in its Open-Source Terms."