Compromised library first found in npm website
According to the recently published report by Sonatype, the library was allegedly first published on the npm website some time Friday and was discovered on the very same day. Today, this was removed after the official npm security team eventually blacklisted the said package.
Sonatype security researcher found out about the flawed library
The reverse shell opens to a connection straight towards "4.tcp.ngrok[.]io:11425" originally from where it first waited to receive a set of new commands in order to run on the infected users' own computers. Sharma then said that the reverse shell would only work on the UNIX-based OS.
According to an article by ZDNet, the npm security team confirmed Sonatype's investigation by saying any computer that actually has this package already installed or already running should be considered as fully compromised. It was also stated that all secrets as well as keys stored within that computer should definitely be rotated quite immediately from a certain different computer.
Attacks have been going on for quite a while
This article is owned by Tech Times
Written by Urian Buenconsejo