Malicious Package

2021-02-03T15:22:18
ID NODEJS:1599
Type nodejs
Reporter dabbler0
Modified 2021-02-03T15:22:18

Description

Overview

All versions of http-proxy-middelware contain malicious code. The index.js file attempts to download a file from a remote server and execute it. The file is not run upon installation - the package needs to be required or the index.js run manually.

The package contains a typo in its code which lead to it not functioning properly. Additionally, the remote file it attempted to download is currently not retrievable anymore but might have been in the past and its contents are unknown.

Recommendation

Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer.

The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it.