Backslash NPM Package Malware Injection Vulnerability

A malware injection vulnerability has been identified in the NPM package 'backslash' version 0.2.1, following a takeover of the package author's account via phishing. The injected malware targets cryptocurrency transactions by redirecting funds to the attacker's wallet addresses. This manipulation occurs within browser environments, including those using popular bundling tools and frameworks such as Babel, Rollup, Vite, and Next.js. The malware specifically exploits wallets and transactions related to cryptocurrencies, with a focus on Ethereum and MetaMask. After the malicious version was published, NPM removed it from the registry, but not before it had been downloaded and could potentially still exist in some private registries.

Impact

The vulnerability allows for unauthorized interception and manipulation of cryptocurrency transactions, redirecting funds from the victim's wallet to the attacker's wallet. This is achieved by replacing the recipient addresses in transaction data with addresses controlled by the attacker, using a technique that mimics the appearance of legitimate addresses to avoid detection.

Reproduction

The vulnerability can be reproduced by including the 'backslash' package version 0.2.1 in a project, and then bundling the application for browser use. Once the application is running in a browser environment with a connected cryptocurrency wallet, the malware will activate and begin intercepting and altering transaction data.

Remediation

Users should upgrade to 'backslash' version 0.2.2, remove the 'node_modules' directory, clean the package manager's global cache, and rebuild any browser bundles from scratch. Those using private registries or registry mirrors should purge the compromised version from any caches.