The npm installer for PureScript package has been compromised

Pierluigi Paganini July 15, 2019

It has happened again, another JavaScript package in the npm registry has been compromised, it is the installer for PureScript.

The installer for PureScript package in the npm registry has tampered forcing project maintainers to purge the malicious code.

Last week many developers reported several problems with the installer and PureScript contributor Harry Garrood found malicious code in its npm installer.

Launching the installer by typing npm i -g purescript from the command line, it is possible to install the package, an extensive collection of libraries that counts for 2,000 installs a week.

The installer was originally developed and maintained the Japanese developer Shinnosuke Watanabe (@shinnn), later the maintainers of the project asked him to pass the control of the installer to them.

The developer accepted the request but was disappointed for the decision.

after a few too many disagreements and unpleasant conversations with @shinnn about the maintenance of the purescript npm installer, we (the compiler maintainers) recently decided that it would be better if we maintained it ourselves, and asked him if he would transfer the purescript package on npm to us. He begrudgingly did so.” wrote Garrood. “The 0.13.2 PureScript compiler release, which we cut last week, is the first release of the compiler since we took over the purescript npm package.”

Garrood explained that the PureScript installer has some dependencies that are also controlled by Watanabe, and malicious code was added to some dependencies of the npm installer at separate times.

@shinnn claims that the packagers were compromised by an attacker who gained access to his npm account. The good news is that the malicious code that was added has the only purpose of sabotage, it crashes the Purescript npm installer.

The malicious code was identified and removed by the maintainers of the project that have also dropped the Watanabe’s dependencies.

“If you want to be absolutely sure you do not have malicious code on your machine, you should delete your node_modules directories and your package-lock.json files, and set a lower bound of 0.13.2 on the purescript package” wrote Garrood.

A similar case recently impacted developers using the Ruby strong_password library, the attacker hijacked the account of the real developer and injected malicious code in the library.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – npm, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment