Malware that Steals Passwords Hidden in Open Source Software — What to Do

Malware that Steals Passwords Hidden in Open Source Software — What to Do

A nasty malware that can steal passwords from Google Chrome, take screenshots and even use laptop cameras has been hidden in widely used software repositories since December 2020, the result of this "supply chain" attack, We don't know how many applications and other programs have been infected

The malware has been removed from software repositories, but the damage has already been done If software developers happened to run software containing this hidden malware without their knowledge, they could have been spied on and had their passwords stolen Unfortunately, it is not yet known what was created with these corrupted components

We may never truly know if passwords were stolen or privacy compromised in this manner However, this incident highlights the dangers of allowing web browsers to store passwords

Instead of storing passwords in your browser, use the best password manager or write your passwords in a book or on paper and keep them in a safe place

According to a blog post yesterday (July 21) from Boston-area security firm Reversing Labs, the malware exploits a legitimate, free Windows password recovery tool called ChromePass, and as described on the ChromePass page As stated on the ChromePass page, it can "see the usernames and passwords stored by the Google Chrome web browser"

ChromePass itself is fine and useful, but it shows how easy it is to retrieve stored passwords from Chrome (11]

So how did the malware get into the software repository? This is complicated, but let us briefly explain

Hundreds of desktop applications, including Discord, Microsoft Teams, Slack, and Spotify, are built using web browser technology (These applications are in a sense modified versions of Chromium, the open source browser used as the basis for Chrome, Microsoft Edge, Opera, and other web browsers

These and thousands of other software applications rely on JavaScript, a software language developed for Netscape Navigator, the first widely used web browser in 1995, It is now widely used for all purposes outside of browsers

To run JavaScript outside the browser, many developers use something called Nodejs The largest repository of Nodejs code is called the Node Package Manager, or NPM

NPM is not just a cache of code, but also an application that can retrieve over a million JavaScript "packages," or JavaScript module chunks that can be used as building blocks during software development Some of these packages are paid for, but most are available for free

Anyone can contribute packages to NPM, including those with malicious intent In this case, someone built a free but fake JavaScript package called "nodejs_net_server" that contains the ChromePass password extraction tool and added it to NPM This malicious package can also take screenshots and use a PC's webcam

A second malicious JavaScript package with much less functionality, called "tempdownloadtempfile," was uploaded to NPM by the same person

According to Reversing Labs, Bleeping Computer, and ThreatPost, these two packages have been downloaded nearly 1,300 times and over 800 times respectively by software developers

It is unlikely that these developers really knew what they were getting into However, once nodejs_net_server is installed on a developer's PC, it is embedded in a widely used JavaScript package called "jstest" that cannot be removed

At this time, it is not known how much software, including desktop applications, has been built using these malicious JavaScript packages We also do not know how many end users have been spied on We may know more in the coming days and weeks

But the bottom line is this: don't store sensitive passwords in your web browser, especially those that can unlock your bank account, online email service, or social media accounts

Use a password manager And use one of the best Windows 10 antivirus programs to catch at least some of the malicious packages

Categories