
Backdoor injected to NPM express-cookies package - ekke
Remote code injection vulnerability wild in public npm package, plausible-sounding &#x27;express-cookies&#x27; and its dependency &#x27;getcookies&#x27;. &gt;10K downloads during April.<p>Vulnerable code: https:&#x2F;&#x2F;npm.runkit.com&#x2F;getcookies&#x2F;test&#x2F;harness.js?t=1525249320108<p>https:&#x2F;&#x2F;www.npmjs.com&#x2F;package&#x2F;express-cookies
======
jononor
No links to git repo in the packages, big warning sign.

~~~
seanwhitsell
Suspiciously good looking profile pic for the developer too;
[https://www.google.com/search?tbs=sbi:AMhZZite6RvKwDFjIobMX-...](https://www.google.com/search?tbs=sbi:AMhZZite6RvKwDFjIobMX-
kFh9uYB5vV1g-iN63JdRUO-6A65UJx3I2bridaMp8pyyG5-RvL77Kcv9Kh692YTw_1Zmpa-l7oEbi39X2NDGE7aQQ0rRKYBmTmOAeeqpsNkusNH8LzWMCFr756Dn-
qlbJgaWjEfyj1x_1eUJDvUCFv4f9dDapoKOc_1rRG06pBxaaxcMW14Rrgccz4PNTYmjxyt1EpkS8oVSY8EYaOqbDJoVX7zCAsPWCSWH_1hoPjF0h2ieBiGaslHh4uXo-
ySbVxhqVjLZM2JeGw9HaRhHfpQAzBVqGmvYReRdE2IVQvAinapYZQokhM_1TprPgk52_1SSGoatnctN77pzPg)

~~~
mindcrash
Because it's a crop from a stock photo with a male model (in fact, see the
first image result on the page).

------
jononor
Can someone explain how the injection itself works? I assume it's the require
doing the work, but its not so clear how that loads externally instead of from
a path in filesystem?

~~~
ekke
NPM guys explain it in the blog today:
[https://news.ycombinator.com/item?id=16975025](https://news.ycombinator.com/item?id=16975025)

~~~
jononor
Corrected URL to blogpost is:
[https://blog.npmjs.org/post/173526807575/reported-
malicious-...](https://blog.npmjs.org/post/173526807575/reported-malicious-
module-getcookies)

------
chrbp
I am curious to know whether you reported it to npm upon your findings. npm
questioned me for who to credit on this matter, and they would like to know
who the original finder was.

------
ekke
And NPM took it down quickly, whew.

~~~
lucfranken
did you report it to NPM?

~~~
chrbp
I don't know how many reported it to npm, but when I initially saw the post on
HN, I took the steps to report the packages.

I don't know who to credit on this, and neither does npm but OP seems to be
the source of these findings, although it would baffle me if they didn't
report it to npm.

------
cathhhhji
There is no reason to use "express-cookies" when "cookie-parser" exists.

~~~
hinkley
Express just ejected a bunch of its functionality into “express-“ modules.

------
Aspyre
Am I the only one that's only reading the comments after seeing the first two
words of the title?

