Chrome On Windows Account Recovery Tool Caught Stealing Passwords

Google Chrome Web Extensions DG AH 2020

Code published to Node Package Manager (NPM) has been caught stealing passwords from legitimate account recovery tools in Chrome on Windows. That’s based on recent reports, detailing the malicious code, which was found in two packages in the NPM repository.

For clarity, npm is the default package manager for the JavaScript runtime environment Node.js. That’s built on Chrome’s V8 JavaScript engine and is similar to GitHub or PyPI. In effect acting as a part of the software supply chain managing JavaScript packages. Hosting up to 1.5 million unique packages and managing more than 1 billion JavaScript requests per day.

The issue in question stems from the discovery of an embedded Windows .exe file found in two packages. Specifically, “Win32.Infostealer.Heuristics” — which was discovered by ReversingLabs researchers in “nodejs_net_server” and “temptesttempfile.”


What was going on with this?

Now, digging deeper into this issue, nodejs_net_server is a package with 12 published versions and more than 1,300 downloads since early 2019. The most recent update was six months ago, with authorship attributed to “chrunlee” — a name which also appears in GitHub. It wasn’t until that point, in December 2020, via a version 1.1.0 update that a script was added to download the above-mentioned password-stealing tool.

The second of the packages, “temptesttempfile” is more mysterious. It doesn’t appear to have done much of anything, as of this writing. Aside from containing the same remote shell functionality that was found in the other versions of the nodjs_net_server package. But, in this case, those don’t actually appear to have done anything. Or, at the very least, they didn’t execute the password hijacking tool.

The passwords-stealing tool itself, however, was found to be in use in the Google ChromePass Utility for Windows Chrome, published by NirSoft. That utility is summarily used to retrieve and view passwords stored in Google’s Chrome browser.


Are you safe from password stealing account recovery tools in Windows Chrome now?

Now, initially, Reversing Labs reached out to the npm security team on July 2 about the problem presented by the packages in question. It appears as though that prompted npm, Inc. to launch its own investigation. And, following that investigation, the company has removed both malicious packages from its repository. Although, the company was reportedly forced to reach out to npm again on July 15 since it was still live in the repository at that time.

That should mean that end-users will now be safe. At the very least from the two packages in question. Although the news does highlight problems associated with JavaScript, in general. Particularly as that pertains to third-party developers utilizing JavaScript and other code pulled down from the web without proper testing.