Malicious npm packages caught installing remote access trojans ZDNet
https://www.zdnet.com/article/malicious-npm-packages-caught-installing-remote-access-trojans/

>The security team behind the "npm" repository for JavaScript libraries removed two npm packages this Monday for containing malicious code that installed a remote access trojan (RAT) on the computers of developers working on JavaScript projects.
>techrepublic cheat sheet
>
>The name of the two packages was jdb.js and db-json.js., and both were created by the same author and described themselves as tools to help developers work with JSON files typically generated by database applications.
>
>Both packages were uploaded on the npm package registry last week and were downloaded more than 100 times before their malicious behavior was detected by Sonatype, a company that scans package repositories on a regular basis.
>
>According to Sonatype's Ax Sharma, the two packages contained a malicious script that executed after web developers imported and installed any of the two malicious libraries.
>
>The post-install script performed basic reconnaissance of the infected host and then attempted to download and run a file named patch.exe (VT scan) that later installed njRAT, also known as Bladabindi, a very popular remote access trojan that has been used in espionage and data theft operations since 2015.
>
>To make sure the njRAT download wouldn't have any issues, Sharma said the patch.exe loader also modified the local Windows firewall to add a rule to whitelist its command and control (C&C) server before pinging back its operator and initiating the RAT download.
>
>All of this behavior was contained in the jdb.js package only, while the second package, db-json.js, loaded the first in an attempt to disguise its malicious behavior.
>...