npm is a package manager for JavaScript and the default one for Node.js. Its online database of packages has no vetting process for submission, relying on user reports and an audit feature to help devs identify the vulnerability. In this case, 1337qq-js was marked with a CVSS severity of critical. A backdoor in the code lets a remote attacker gain access to the user and steal important information. According to the npm security team, it exfiltrates environment variables, running processes, the /etc/hosts folder, uname – a, and the npmrc file. With API access tokens for web apps commonly held in environment variables, installing such a package could lead to a lot of trouble. To mitigate the risk, it’s recommended to simply uninstall the package for any devs that used the package to remove it from their apps. Obviously, credentials should be changed. Thankfully, this package was caught before it reached major popularity. Microsoft caught it two weeks after it went live, limiting the impact. Still, it’s another reason for caution after various similar incidents. npm packages have previously been published to steal cryptocurrency, steal developer credentials, and exfiltrate environment details. In his yearly security review, VP of npm security Adam Baldwin revealed that there had been 1,285 security advisories, 595 of which were created in 2019.