Malicious Package Was Stealing User Credentials on the NPM Repository

Last updated August 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

NPM (Node Package Manager) has just removed a malicious package named “bb-builder” that was reportedly capable of stealing user login credentials from systems that it got installed on. The administrators of NPM marked the package’s risk as “severe” and warned people who installed it that their computers should be now considered “fully compromised”. The package executed an exfiltrator that was developed for Windows and sent the stolen user credentials to a remote server. That said, removing the package now from the repository or from the infected computers won’t change the fact that peoples’ secret keys have been already compromised.

The discovery of the malicious nature of all versions of bb-builder was made by Tomislav Pericin, co-founder of the ReversingLabs static analysis firm. The researcher scanned the entire NPM repository which consists of nine million packages and amounts to 35 terabytes of data. The same company had done something similar with the PyPI Python repository last month, discovering another malicious package called "libpeshnx". As the analysis firm points out, these discoveries are natural, as package manager repositories that serve software development companies are a great point to plant something that will enable the launching of a supply chain attack.

The “bb-builder” remained in NPM for over a year without anyone noticing what it was doing, but thankfully, it wasn’t very popular. As it’s indicated from the repository stats, the number of downloads peaked at 78 in June. The name of the package is such that it could easily create confusion with other more popular packages, but it looks like developers are generally careful with what they are using as they are generally meticulous personalities.

NPM is a repository that comes with a package management tool which is devoted to the JavaScript programming language. It is used for the storing, downloading, and linking of public or private packages, allowing users to consume and distribute JavaScript modules. Developers use NPM for local dependency management and automated package retrieval and installation. Because there’s no vetting in the registry, some of the packages in NPM can be of low quality or even malicious. Similar repositories that are devoted to other programming languages and projects, and that have been repeatedly compromised in the past are PyPI (Python), NuGet (.NET), and RubyGems (Ruby).

Have something to comment on the above? Feel free to share your thoughts down below, or discuss this news with our online community, on Facebook and Twitter.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: