A malicious package found in NPM repository


Last week,npm pulled a package called “bb-builder” from the repository after discovered that it stole login information from the computers which has been installed that package.When a computer installed this malicious package via npm it deployed an executable for Windows operating system that sent sensitive information to a remote server.

The npm repository is very popular among the programmers as online database for open-source packages that are often used as dependencies in Node.js projects.This repository is expanding day by day and at the movement its contains over nine million packages,nearly 35TB of uncompressed data.


 Co-founder and chief software architect at ReversingLabs, Tomislav Pericin discovered this dangerous package and warned to the npm immediatly. Not long ago ReversingLabs performed a similar scan on the PyPI repository for Python packages and found the “libpeshnx” library that contained a malicious function which makes a backdoor.
 He and his team found lot of suspicious PE (portable executable files) in npm repository, and scanned the packages that included this type of files. Then they discovered this package which is label as password recovery tool.When they research depth of the package,found that  it was uploaded to the repository by  someones stolen credential before a year.
‘”bb-builder” firstly included the password recovery tool in version 1.0.1. But later with the  new updates , additional functionality were added, such as a dependency to submit the credentials to the creators’s web sever.Although, “bb-builder” was not a popular as password recover tool,  because its installation statistics show few weekly downloads. The most active period was between June 19-25 when the number downloads peaked at 78.However npm community mention that this malicious package successfully pulled out but warn developers to be aware about the suspicious packages and immediate inform to npm if found one.

Leave a Reply

Your email address will not be published. Required fields are marked *