Malicious code found in the purescript npm installer

npm purescript

Some days ago malicious code was detected in the dependencies of the npm package with the PureScript installer, which is manifested when trying to install the purescript package.

Malicious code embedded via load-from-cwd-or-npm dependencies and speed map dependencies. It should be noted that the original author of the npm package with the PureScript installer, who until recently was engaged in the maintenance of this npm package, but the package was sent to other maintainers, is responsible for accompanying packages with these dependencies.

About the problem

The problem was discovered by one of the new analysts of the package, to whom the maintenance rights were transferred after many disagreements and nasty discussions with the original author of the npm purescript package.

The new maintainers are responsible for the PureScript compiler and they insisted that the NPM package with its installer should be repaired by the maintainers themselves, not by a developer outside the project.

The author of the npm package with the PureScript installer disagreed for a long time, but then gave up and gave access to the repository. However, some dependencies were left under his control.

Last week, the release of the PureScript 0.13.2 compiler was announced and the new maintainers prepared the corresponding update of the npm package with the installer, for which the malicious code was detected.

The malicious code was first inserted into the npm package "load-from-cwd-or-npm" in version 3.0.2 and then in the rate-map package from version 1.0.3. In the last days several versions of both packages were published.

Shifted from the post accompanying the author of the npm package with the PureScript installer, he said that his account was compromised by unknown attackers.

However, in the current form, the actions of the malicious code were limited only by sabotaging the package installation, which was the first version of the new maintainers. Malicious actions were looped out when attempting to install a package with the "npm i -g purescript" command without performing any explicit malicious activity.

Two attacks were identified

In summary, the code sabotages the purescript npm installer to prevent the download from completing, which causes the installer to hang during the "Check if a precompiled binary is provided for your platform" step.

The first exploit did this by breaking the load-from-cwd-or-npm package so that any call to loadFromCwdOrNpm () would return a pass-through sequence instead of the expected package (in this case, the request package, which we were using to download the compiler binaries). The second iteration of the exploit did this by modifying a source file to prevent a download callback from being fired.

4 days the developers understood the source of the flaws and were preparing to release an update to exclude load-from-cwd-o-npm from dependencies, the attackers released another update load-from-cwd-or-npm 3.0.4, where the malicious code has been removed.

However, an update to another Rate-Map 1.0.3 dependency was released almost immediately, in which a fix was added that blocks the callback call for download.

That is, in both cases, the changes in the new versions of load-from-cwd-or-npm and the map rate were of the nature of an apparent deviation.

Also, in the malicious code there was a check that triggered the failed actions only when installing the version of the new maintainers and did not appear at all when installing the previous versions.

The developers solved the problem by releasing an update in which the problematic dependencies were removed.

To prevent compromised code from being installed on users' systems after trying to install the problematic version of PureScript.

Finally the developer recommends to everyone who has the said versions of the package on their system remove the contents of the node_modules directories and the package-lock.json files and then set the purescript version 0.13.2.

The content of the article adheres to our principles of editorial ethics. To report an error click here!.

Be the first to comment

Leave a Comment

Your email address will not be published.



  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.