"NPM Package Steals Chrome Passwords on Windows via Recovery Tool"
New NPM malware has been observed stealing Google Chrome credentials through the use of legitimate password recovery tools on Windows systems. NPM, short for Node Package Manager, is a packet manager for the JavaScript programming language. The NPM malware has also been discovered listening for incoming connections from the attacker's command-and-control (C2) server and providing advanced capabilities, including directory listing, file lookup, file upload, shell command execution, and camera access. Researchers at ReversingLabs shared their findings surrounding two malicious NPM packages called "nodejs_net_server" and "temptesttempfile." The researchers' report primarily focuses on nodejs_net_server, which has the core malware functionality. The malware, specifically nodejs_net_server, uses the legitimate ChromePass freeware utility for Windows to carry out credential-stealing activities. This password recovery tool aims at extracting passwords from the user's Chrome web browser. It was found packed inside the NPM package with misleading names. This article continues to discuss findings regarding the two malicious NPM packages that steal passwords from the Chrome web browser via the password recovery tool ChromePass.
Bleeping Computer reports "NPM Package Steals Chrome Passwords on Windows via Recovery Tool"