Hacker News new | ask | show | jobs
Backdoor injected to NPM express-cookies package
58 points by ekke 2967 days ago
Remote code injection vulnerability wild in public npm package, plausible-sounding 'express-cookies' and its dependency 'getcookies'. >10K downloads during April.

Vulnerable code: https://npm.runkit.com/getcookies/test/harness.js?t=1525249320108

https://www.npmjs.com/package/express-cookies
6 comments
jononor 2967 days ago
No links to git repo in the packages, big warning sign.
link
seanwhitsell 2967 days ago
Suspiciously good looking profile pic for the developer too; https://www.google.com/search?tbs=sbi:AMhZZite6RvKwDFjIobMX-...
link
mindcrash 2967 days ago
Because it's a crop from a stock photo with a male model (in fact, see the first image result on the page).
link
jononor 2967 days ago
Can someone explain how the injection itself works? I assume it's the require doing the work, but its not so clear how that loads externally instead of from a path in filesystem?
link
ekke 2966 days ago
NPM guys explain it in the blog today: https://news.ycombinator.com/item?id=16975025
link
jononor 2965 days ago
Corrected URL to blogpost is: https://blog.npmjs.org/post/173526807575/reported-malicious-...
link
dylz 2966 days ago
It appears to be middleware that looks at headers, and if a certain condition is met, it'll basically execute https://nodejs.org/api/vm.html#vm_vm_runinthiscontext_code_o... against whatever the header has.
link
chrbp 2965 days ago
I am curious to know whether you reported it to npm upon your findings. npm questioned me for who to credit on this matter, and they would like to know who the original finder was.
link
ekke 2967 days ago
And NPM took it down quickly, whew.
link
lucfranken 2966 days ago
did you report it to NPM?
link
chrbp 2965 days ago
I don't know how many reported it to npm, but when I initially saw the post on HN, I took the steps to report the packages.

I don't know who to credit on this, and neither does npm but OP seems to be the source of these findings, although it would baffle me if they didn't report it to npm.

link
ekke 2962 days ago
Sure, and at least few more people :)
link
cathhhhji 2967 days ago
There is no reason to use "express-cookies" when "cookie-parser" exists.
link
hinkley 2966 days ago
Express just ejected a bunch of its functionality into “express-“ modules.
link
Aspyre 2964 days ago
Am I the only one that's only reading the comments after seeing the first two words of the title?
link