A nasty malware that can steal passwords from Google Chrome, take screenshots and even use laptop cameras has been hidden in widely used software repositories since December 2020, the result of this "supply chain" attack, We don't know how many applications and other programs have been infected.

The malware has been removed from software repositories, but the damage has already been done. If software developers happened to run software containing this hidden malware without their knowledge, they could have been spied on and had their passwords stolen. Unfortunately, it is not yet known what was created with these corrupted components.

We may never truly know if passwords were stolen or privacy compromised in this manner. However, this incident highlights the dangers of allowing web browsers to store passwords.

Instead of storing passwords in your browser, use the best password manager or write your passwords in a book or on paper and keep them in a safe place.

According to a blog post yesterday (July 21) from Boston-area security firm Reversing Labs, the malware exploits a legitimate, free Windows password recovery tool called ChromePass, and as described on the ChromePass page As stated on the ChromePass page, it can "see the usernames and passwords stored by the Google Chrome web browser."

ChromePass itself is fine and useful, but it shows how easy it is to retrieve stored passwords from Chrome. (11]

So how did the malware get into the software repository? This is complicated, but let us briefly explain.

Hundreds of desktop applications, including Discord, Microsoft Teams, Slack, and Spotify, are built using web browser technology. (These applications are in a sense modified versions of Chromium, the open source browser used as the basis for Chrome, Microsoft Edge, Opera, and other web browsers.

These and thousands of other software applications rely on JavaScript, a software language developed for Netscape Navigator, the first widely used web browser in 1995, It is now widely used for all purposes outside of browsers.

To run JavaScript outside the browser, many developers use something called Node.js. The largest repository of Node.js code is called the Node Package Manager, or NPM.

NPM is not just a cache of code, but also an application that can retrieve over a million JavaScript "packages," or JavaScript module chunks that can be used as building blocks during software development. Some of these packages are paid for, but most are available for free.

Anyone can contribute packages to NPM, including those with malicious intent. In this case, someone built a free but fake JavaScript package called "nodejs_net_server" that contains the ChromePass password extraction tool and added it to NPM. This malicious package can also take screenshots and use a PC's webcam.

A second malicious JavaScript package with much less functionality, called "tempdownloadtempfile," was uploaded to NPM by the same person.

According to Reversing Labs, Bleeping Computer, and ThreatPost, these two packages have been downloaded nearly 1,300 times and over 800 times respectively by software developers.

It is unlikely that these developers really knew what they were getting into. However, once nodejs_net_server is installed on a developer's PC, it is embedded in a widely used JavaScript package called "jstest" that cannot be removed.

At this time, it is not known how much software, including desktop applications, has been built using these malicious JavaScript packages. We also do not know how many end users have been spied on. We may know more in the coming days and weeks.

But the bottom line is this: don't store sensitive passwords in your web browser, especially those that can unlock your bank account, online email service, or social media accounts.

Use a password manager. And use one of the best Windows 10 antivirus programs to catch at least some of the malicious packages.