Password-stealing malware hidden in open-source software — what to do

A shadowy hand reaches for the word 'PASSWORD' displayed on a computer screen.
(Image credit: ShutterPNPhotography/Shutterstock)

Nasty malware that steals passwords from Google Chrome and can also take screenshots and use laptop cameras has been hidden since December 2020 in a widely used software repository, and there's no telling how many applications and other programs may have been infected as a result of this "supply chain" attack. 

The malware has been removed from the software repository, but the damage is already done. If you happened to run software that, unknown to the software developers, contained this hidden malware, you may have been spied on and your passwords stolen. Unfortunately, we don't yet know what was built using these corrupted components.

You may never truly know if your passwords were stolen or your privacy was compromised in this way. But the incident highlights the dangers of letting your web browser save passwords, because browsers are still too easy to break into. 

Instead of saving passwords in your browser, use one of the best password managers, or just write your passwords down in a book or on a piece of paper and keep it someplace safe.

A twisted tale of abused trust

According to a blog post yesterday (July 21) from Boston-area security firm Reversing Labs, the malware abuses a legitimate free Windows password-recovery tool called ChromePass that, as the ChromePass page states, "allows you to view the user names and passwords stored by Google Chrome Web browser." 

ChromePass itself is fine and useful, though it does show how easy it is to grab saved passwords from Chrome. (It's also flagged as malware by many of the best antivirus programs.)

So how did the malware get into the software repository? That's complicated, but we'll try to make it short.

Many applications are really web browsers

Hundreds of desktop applications, including Discord, Microsoft Teams, Slack and Spotify, are built using web-browser technology. (This doesn't mean they were infected.) These apps are in a way modified versions of Chromium, the open-source browser used as the basis for Chrome, Microsoft Edge, Opera and other web browsers. 

They and thousands of other pieces of software depend on JavaScript, a software language developed in 1995 for Netscape Navigator, the first widely used web browser. JavaScript is very versatile and easy to work with, and it's now widely used outside of browsers for all sorts of purposes. 

To run JavaScript outside a browser, many developers use something called Node.js. The biggest repository of code for Node.js is called Node Package Manager, or NPM. 

NPM isn't just a cache of code, but also an application through which you can grab more than a million JavaScript "packages," modular chunks of JavaScript that you can then use as building blocks while developing your software. You have to pay for some of these packages, but most of them are free to use.

Booby-trapped software

Anyone can contribute a package to NPM, and that includes people with malicious purposes. In this case, someone built a free but fake JavaScript package called "nodejs_net_server" that contained the ChromePass password extractor and added it to NPM. That malicious package also could take screenshots and use a PC's webcam. 

A second malicious JavaScript package with far fewer capabilities, called "tempdownloadtempfile", was uploaded to NPM by the same person.

According to Reversing Labs, Bleeping Computer and ThreatPost, those two packages have been downloaded by software developers nearly 1,300 times and more than 800 times, respectively. 

There's little chance those developers truly understood what they were getting. But when nodejs_net_server is installed on a developer's PC, it embeds itself in a widely used JavaScript package called "jstest" to make sure it can't be deleted.

At this point, we don't know how many pieces of software, including desktop applications, were built using these malicious JavaScript packages. We don't know how many end users were spied upon. We may learn more in the coming days and weeks.

But the upshot is: Don't save your passwords, especially not sensitive passwords that can unlock bank accounts, online email services or social-media accounts, in your web browser. 

Use a password manager. And use one of the best Windows 10 antivirus programs to catch at least some of the malicious packages.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.