Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Malicious NPM Packages Used To Install njRAT Remote Access Trojan

Malicious NPM Packages Used To Install njRAT Remote Access Trojan

New malicious NPM packages have been discovered that install the njRAT remote access trojan that allows hackers to gain control over a computer.

NPM is a JavaScript package manager that allows developers and users to download packages and integrate them into their projects.

As NPM is an open ecosystem, anyone can upload a new package without being reviewed or scanned for malware. While this environment has led to a repository of 1 million rich and diverse packages, it also makes it easy for threat actors to upload malicious packages.

Malicious NPMs install njRAT

Today, open-source security firm Sonatype discovered malicious NPM packages masquerading as a legitimate tool to make databases out of JSON files.

These packages were called ‘jdb.js’ and ‘db-json.js’ and have been removed by NPM, but as you can see from a screenshot below, they look like harmless packages that could be used to add new functionality to a project.

JsonDB (db-json.js) package on NPM

As you can see from the package.json file for the db-json.js package, it has another package called ‘jdb.js’ as a dependency. The package.json file causes NPM to automatically install that package as well when installing the db-json.js package.

Package.json for db-json

This jdb.js package includes a module.js, package.json, and a patch.exe executable, as shown below. When installed, NPM will automatically execute the module.js as it is set to launch automatically on install.

Also Read: 10 Tips For Drafting Key Terms In A Service Agreement

jdb package contents
jdb package contents

This JS script, shown below, is heavily obfuscated but will launch the patch.exe executable, which is the njRAT malware.

Obfuscated JavaScript file
Obfuscated JavaScript file

When installed, njRAT gives the threat actor full remote access to a victim’s computer, where they can perform the following malicious behavior:

  • Modify the Windows Registry
  • Create and delete files
  • Upload files
  • Execute commands
  • Get information about the computer
  • Take control over the computer
  • Log keystrokes
  • Steal passwords
  • Kill processes
  • Take screenshots

Below you can see a small snippet of source code showing some commands that can be sent by the threat actor via njRAT.

Also Read: Deemed Consent PDPA: How Do Businesses Comply?

njRAT decompiled source code

Each package was downloaded about a hundred times each, but Sonatype’s Ax Sharma told BleepingComputer that they believe they caught the malicious NPMs before they could be put to full use.

Over the past year, it has become increasingly common to find NPM packages that install malware or perform malicious behavior.

Recently, NPM removed malicious packages called ‘fallguy’ and ‘discord.dll’ after discovering that they were used to steal Discord tokens and browser information from Google Chrome, Brave Browser, Opera, and Yandex Browser.

As it is becoming common for malicious NPM projects to utilize names similar to legitimate projects, developers must pay close attention to the packages they integrate into their projects.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us