Backdoor hidden in the npm JavaScript package

Share this…

According to researchers, the node’s Packet Manager (npm) team just avoided a disaster when it discovered and blocked the distribution of a backdoor mechanism cleverly hidden inside a JavaScript package.

This backdoor mechanism was found by information security experts in “getcookies”, a new npm package to work with browser cookies.

The team of professionals of npm that analyzed this package, commented that “getcookies” contains a complex system to receive commands from a remote attacker, and that could point to any JavaScript application that has incorporated this library.


The team of information security researchers explains: “The backdoor worked by analyzing the HTTP request.headers provided by the user, looking for specifically formatted data that provides three different commands to the backdoor …”

“We can see here that the headers are coded and the result looks for values ​​in the format of: gCOMMANDhDATAi” added the researchers.

According to the npm team, the backdoor allowed an attacker to enter arbitrary code on a running server and execute it.

It is believed that the original backdoored module was imported into other packages.

The “getcookies” library was new and not very popular, and was only included in a few projects.

The team of researchers commented that it discovered a chain of nested dependency through which the “getcookies” package had indirectly arrived at the structure of a popular library “Mailparser”.


└── http-fetch-cookies

└── express-cookies


Mailparser is an npm package to analyze email data using JavaScript, information security experts explain. This is an old library, and has been disapproved in favor of a newer “Nodemailer”.

Despite being abandoned, the library is still published in the npm package index, since there are applications that still use it in their construction chains.

There are no reported attacks yet. “It is believed that the mailparser requires http-fetch-cookies to run an attack in the future or inflate counts of express cookie downloads to increase its legitimacy,” the npm team said in a report.

The information security experts commented that there were no attacks to exploit the back door because “no package published in the npm Registry used the malicious modules in a way that would have allowed the backdoor to be activated”.

The NPM index maintainers seem to have caught a future supply chain attack before it happened. The npm team eliminated the user “dustin87” from the attack and did not publish the getcookies, express-cookies and http-fetch-cookies packages.

They also launched Mailparser to v2.2.0, eliminating versions 2.2.3, 2.2.2 and 2.2.1, which contained the malicious package http-fetch-cookies.