The backdoor worked by parsing the user-supplied HTTP request.headers, looking for specifically formatted data that provides three different commands to the backdoor.
We can see here that the headers are stringified and the result searched for values in the format of: gCOMMANDhDATAi
According to the npm team, the backdoor “allowed for an attacker to input arbitrary code into a running server and execute it.”
The original backdoored module was imported in other packages
But things didn’t end here. The “getcookies” library was new and not that popular, being included in very few projects.
The npm team says it discovered a nested dependency chain through which the “getcookies” package had indirectly made it into the structure of a much popular library called “Mailparser.”
But despite being abandoned, the library has not been unpublished from the npm package index, as there are older applications that still use it in their build chains. At the time of writing, the Mailparser npm page listed over 66,000 weekly downloads.
No attacks reported
“We speculate that mailparser’s requiring http-fetch-cookies was to execute an attack in the future or to inflate download counts of express-cookies to add to its legitimacy,” the npm team said today in an incident response report.
Investigators also suggest that no attacks to exploit the backdoor appear to have taken place because the “no packages published to the npm Registry used the malicious modules in a way that would have allowed the backdoor to be triggered.”
Npm index maintainers appear to have caught a future supply-chain attack before it happened. The npm team has also removed the “dustin87” user behind the attack and unpublished the getcookies, express-cookies, and http-fetch-cookies packages.
They’ve also rolled Mailparser to v2.2.0, removing three versions (2.2.3, 2.2.2, and 2.2.1) that contained the http-fetch-cookies malicious package.
There have been previous incidents
Something similar happened on PyPI — Python Package Index — the official third-party software repository for the Python programming language. Back in September 2017, the Slovak National Security Office (NBU) found and reported ten malicious Python packages on PyPI, which were promptly removed.
May 3, 2018