Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

NPM Nukes NodeJS Malware Opening Windows, Linux Reverse Shells

NPM Nukes NodeJS Malware Opening Windows, Linux Reverse Shells

NPM has removed multiple packages hosted on its repository this week that established connection to remote servers and exfiltrated user data.

These 4 packages had collected over 1,000 total downloads over the course of the last few months up until being removed by NPM yesterday.

The four packages are:

  1. plutov-slack-client – claims to be a “Node.JS Slack Client” according to the information in the manifest 
  2. nodetest199 – no description
  3. nodetest1010 – no description
  4. npmpubman – claims to be “a simple implementation about Linux shell login” according to the information in the manifest 

Establishes a reverse shell to the attacker’s server

Although the malicious packages were spotted and removed by NPM, I was able to dig into Sonatype’s automated malware detection system archives to obtain copies of their source code, as it had existed on NPM downloads.

Also Read: IT Governance Framework PDF Best Practices And Guidelines

The first three packages plutov-slack-clientnodetest1010, and nodetest199 share identical code. 

The simplistic code contained within these packages is capable of running on both Windows and Unix-based systems.

After the packages are installed, the code establishes a reverse shell to the attacker’s server, allowing the attacker to obtain remote access to the compromised machine.

The first 3 packages (plutov-slack-client, nodetest1010, and nodetest199) establish a reverse shell to the attacker’s server 
Source: BleepingComputer

A key finding is, despite the 3 packages sharing identical code, the manifest file (package.json) containedwithin each of these has drastically different metadata about the whereabouts of the author and their GitHub profiles.

It is plausible that either the data in package.json was faked by the malware author, or the malware author published these malicious packages using compromised GitHub and npm accounts belonging to different developers.

Also Read: Steps On How To Create Complain About Telemarketing Calls

Uploads user data to a remote server

The last package on the list, npmpubman has a very different code structure and purpose.

It collects user data from the environment variables and uploads this information to a remote host.

Environment information as provided by NodeJS process.env can reveal sensitive information about a developer’s environment such as the PATH variable, database server, ports, API keys, etc.

Malicious NPM package npmpubman exfiltrates environment variables to a remote server
Source: BleepingComputer

It is possible that all four packages were authored by the same attacker(s) despite conflicting data provided in the package.json manifests.

In a real-world scenario, npmpubman could be used as a part of an attacker’s reconnaissance efforts to collect information about a system, whereas the other packages establish a direct connection between the attacker’s and the victim’s computers.

As observed by BleepingComputer, the different NPM author accounts associated with these 4 packages have now been shut down by npm. Whereas, the GitHub repositories of the developers showed no recent traces of the packages ever being hosted there, despite package.json indicating such a possibility.

Cases of malware infiltrating the open-source ecosystem have been on the rise. Merely last month, I had blogged about npm malware that went undetected and had been publishing user’s information on public GitHub pages in real-time.

By exploiting the trust within the open-source community, attackers benefit from pushing their malicious code “downstream” to any developer or customer who may mistakenly include these malicious packages as a dependency in their application. 

These packages have been accounted for by Sonatype in their October malicious packages list, tracked as sonatype-2020-1013.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us