These packages had around 1,000 downloads over the course of the last few months up till now. Cybercriminals often upload code containing malware to public repositories hoping to establish reverse shell connections.
These four packages are:
“Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm security team said.
“The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it,” they added.
These three packages plutov-slack-client, nodetest1010, and nodetest199 share identical code.
The code inside packages is capable of running on both Unix-based and Windows systems. It can establish a reverse shell connection to the attacker’s server, allowing the hacker to obtain remote access to the compromised machines.