Find malicious javascript modules in your projects

It came to my attention recently that a bunch of modules with similar names to popular libraries had been published on npm, with the goal of taking people’s environment variables, which may contain important private information.

These modules work exactly like the originals, but send your process environment to a third-party server when you install them.

An article suggests that you can easily check if you have installed any of these malicious modules by running the following command:

npm ls | grep -E "babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter"

This lists the installed npm modules and checks for ones matching the malicious ones.

This command has a couple of downsides however:

  1. It must be run on a per-project basis
  2. It only checks currently installed modules

So, building on top of this idea, I came up with these couple of commands:

grep -rnw --include={package.json,bower.json} --exclude-dir={node_modules,plugins} -e 'babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter' .

When run inside of your projects / code directory, this will check every project’s package.json and bower.json for modules matching the malicious ones. This command ignores the node_modules and plugins directories, but you can easily remove this exclude and check every sub directory also (which I would recommend) as in this command:

grep -rnw --include={package.json,bower.json} -e 'babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter' .

I would recommend running these commands on both your local working machine, and your staging & production servers.

In addition to the above, a small change to the command suggested in the previously mentioned article allows you to check your globally installed modules for malicious ones.

npm ls -g | grep -E 'babelcli|crossenv|cross-env.js|d3.js|fabric-js|ffmepg|gruntcli|http-proxy.js|jquery.js|mariadb|mongose|mssql.js|mssql-node|mysqljs|nodecaffe|nodefabric|node-fabric|nodeffmpeg|nodemailer-js|nodemailer.js|nodemssql|node-opencv|node-opensl|node-openssl|noderequest|nodesass|nodesqlite|node-sqlite|node-tkinter|opencv.js|openssl.js|proxy.js|shadowsock|smb|sqlite.js|sqliter|sqlserver|tkinter'

I believe that since writing this blog, the modules in question have been removed from npm, and so you should not run into problems with them, however due to npm’s apparent lack of security you should always check that you are installing an official module with the correct name.