The package, identified as 1337qq-js, was spotted stealing sensitive data through install scrips of Unix Systems. It marks the sixth-known incident to strike the npm repository in the past three years.
According to the analysis by the npm team, only Unix Systems are targeted, and the data it collects includes running processes, environment variables, uname –a, npmrc file and /etc/hosts.
In recent years, similar security breaches have made it on the npm repository index. Most notably, in April 2017, npm was hit with the upload of 38 malicious libraries configured to steal environment details from projects that used them.
Luckily, the malicious package was successfully removed from the npm website after a two-week shelf life.
The npm repository for 1337qq-js now reads: “This package name is not currently in use, but was formerly occupied by another package. To avoid malicious use, npm is hanging on to the package name, but loosely, and we’ll probably give it to you if you want it.”