getcookies backdoor reached mailparser dependency chain
npm removed getcookies, two related cookie packages, and three mailparser releases after a community report found a request-header backdoor in the dependency chain.
Story
The important package in this incident was not mailparser itself. On May 2, 2018, npm received a community report that getcookies, a package presented as a cookie parser, contained a backdoor. Two other packages, express-cookies and http-fetch-cookies, depended on it. Three mailparser releases then depended on http-fetch-cookies, pulling the chain into a deprecated but still heavily downloaded package.
npm's analysis found a header-driven remote-code path. The code stringified request.headers, searched for attacker-formatted markers, used control values to reset or append to an in-memory code buffer, and executed the buffer with vm.runInThisContext. In a server path that actually used the malicious module, that meant a crafted HTTP request could become arbitrary Node.js code.
The attempted reach was the story. npm said download counts for getcookies, express-cookies, and http-fetch-cookies spiked around the time a mailparser version began depending on http-fetch-cookies. mailparser still had about 64,000 weekly downloads despite being deprecated, so the chain made a small cookie parser look more legitimate and gave it a path toward real production installations.
npm also drew an important boundary: published mailparser versions that depended on http-fetch-cookies did not use the dependency in a way that triggered the backdoor. npm removed getcookies, express-cookies, http-fetch-cookies, and mailparser versions 2.2.1 through 2.2.3, then reset the mailparser maintainer's npm tokens. This was a near miss in a dependency chain, not evidence that mailparser users were compromised.
Affected Artifacts
- Observed
- 2018-05-02
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Evidence
- distribution: npmjs.com/package/getcookies, mirror: blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies, package: getcookies, package: express-cookies , +9 more
- npm removed getcookies, express-cookies, http-fetch-cookies, and mailparser versions 2.2.1, 2.2.2, and 2.2.3.
- npm reset the mailparser maintainer's tokens as a precaution after removing the affected mailparser releases.
- Hacker News discussion surfaced the suspicious lack of repositories and the stock profile photo associated with the packages before npm published its write-up.
Incident Context
- Motive
- Unauthorized Access Control
- Cause
- Malicious Dependency
- Transitive
- Yes
External References
- Reported malicious module: getcookiesblog.npmjs.org
- NPM Attackers Sneak a Backdoor into Node.js Deployments through Dependenciesthenewstack.io
- Somebody Tried to Hide a Backdoor in a Popular JavaScript npm Packagebleepingcomputer.com
- Cookie code compromise caper caught and crumbledtheregister.com
- Backdoor injected to NPM express-cookies packagenews.ycombinator.com
- What are Weak Links in the npm Supply Chain?dl.acm.org
Source record: oss/attacks/mailparser/meta.yaml