Nexus Intelligence Insights: Sonatype-2020-0003 – npm malicious package 1337qq-js

by Elisa Velarde on January 15, 2020

Happy New Year! Nexus Intelligence Insights is back with an open source component vulnerability that turns out to be not so bad after all.

Typically when an advisory about a “bad” open source software component hits the news, the story is somewhat dire – millions of accounts hacked, sensitive data stolen and teams scrambling to locate the production application running the vulnerable code.

This time, the news is a bit more hopeful. npm, the popular package manager for Javascript, has taken down 1337qq-js, after the Microsoft Vulnerability Research Team identified a major attack vector. The malicious code stole environment variables and targeted Unix machines only.

Why is this good news? Because the effort that’s gone into proactive due diligence and reporting vulnerabilities paid off this time. Today, there are more “vuln” hunters than ever before. Some researchers do it for a bounty, others for the thrill and some for both. Platforms like Sonatype’s Central Security Project make it easier than ever to report a vulnerability, coordinate the communication with the project, and get a CVE number assigned if necessary. Bad actors who have attempted to use the magnanimous nature of the open source community against itself, are being met with a collective show of force to stop hackers before they can do widespread damage.

As a company that prides itself on being deeply involved in the open source community, we applaud this. We were happy to learn that only 32 downloads of the malicious package were made before it was reported on January 9, 2020. The remediation was swift (the package was removed) and the npm developer community promptly notified.