Microsoft spots hateful npm package stealing data from UNIX systems

The security team at npm (Node Package Manager), the de facto package manager of the JavaScript ecosystem, today removed a malicious package caught stealing sensitive information from UNIX systems. The malicious package is called 1337qq-js and was uploaded to the npm repository on December 30, 2019.

The package was downloaded at least 32 times before it was detected and today by the Microsoft Vulnerability Research team. According to an analysis by the npm security team, the package filters sensitive information through installation scripts and is intended for UNIX systems only.

Translate ยป