Listen to this Post
A recent discovery by security researcher Paul McCarty revealed a malicious npm package named express-exp, which was found to be distributing an infostealer and/or crypto miner. Shockingly, this package had nearly 5 million downloads before being detected. This incident highlights the growing risks in the software supply chain and the need for stronger security measures in open-source ecosystems.
Indicators of Compromise (IOCs)
The malicious package express-exp contained obfuscated JavaScript designed to:
– Steal sensitive data (credentials, API keys, etc.)
– Deploy a cryptocurrency miner
– Establish persistence on compromised systems
You Should Know: How to Detect and Mitigate npm Malware
1. Verify npm Packages Before Installation
Always check package reputation before installation:
npm view express-exp dependencies npm audit express-exp
Use Socket.dev or Snyk for deeper dependency analysis:
npx snyk test
2. Lock Down Dependencies with package-lock.json
Ensure `package-lock.json` is committed to version control to prevent unauthorized dependency changes:
npm install --package-lock-only
3. Use Sigstore for Package Provenance Verification
Sigstore helps verify package authenticity:
cosign verify ghcr.io/sigstore/sample-package
4. Monitor for Suspicious Network Activity
Check for unexpected outbound connections (common in infostealers/crypto miners):
netstat -tulnp | grep -E 'node|npm'
5. Automate Malware Scanning in CI/CD Pipelines
Integrate OSSF Scorecard or Trivy in your pipeline:
trivy fs --security-checks vuln,secret,config .
6. Isolate npm Installs in Sandboxed Environments
Use Docker containers to limit damage:
docker run --rm -it node:alpine sh -c "npm install express-exp && npm audit"
What Undercode Say
The express-exp incident underscores the critical need for zero-trust approaches in software dependencies. Key takeaways:
– Always audit third-party packages (npm audit, yarn why)
– Enforce strict CI/CD policies (lockfiles, Sigstore, SBOM generation)
– Monitor runtime behavior (strace, lsof, sysdig)
– Use Linux security modules (AppArmor, SELinux) to restrict npm:
aa-genprof /usr/bin/npm
– Block malicious IPs associated with npm malware:
iptables -A OUTPUT -d <MALICIOUS_IP> -j DROP
– Windows users should inspect npm processes via:
Get-Process -Name node | Where-Object { $_.Path -like "npm" }
Expected Output:
A secure npm workflow with automated checks, runtime monitoring, and strict dependency controls to prevent supply chain attacks.
Reference:
References:
Reported By: Mccartypaul Criminals – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
