Potentially compromised dependency getcookies (via mailparser)

[segphault]

Description:

On April 20, a seemingly routine dependency update PR introduced what appears to be a compromised package.

Updating mailparser from version 2.2.0 to 2.2.3 pulled in a transitive dependency called http-fetch-cookies, which has a sub-dependency called express-cookies, which depends on a package called getcookies. The getcookies package apparently has a backdoor (reported here) that looks like it uses the vm module to run arbitrary code provided from a request inside of the application's context.

It appears that npm has since removed http-fetch-cookies, express-cookies, get-cookies and mailparser 2.2.3. According to google cache, mailparser 2.2.3 was published 17 days ago with the added dependency. It's worth noting that mailparser became deprecated last month due to lack of funding, and this compromise seems to have happened since then. As mailparser has 67,000 weekly downloads, this is quite concerning.

[bosko]

This makes it impossible to start Rocket.Chat. After cloning project on Ubuntu 16.04 meteor npm install fails with:

npm ERR! 404 Not Found: mailparser@https://registry.npmjs.org/mailparser/-/mailparser-2.2.3.tgz

[evilpacket]

Here is some more context about the mentioned modules. https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies

[faziloub]

same for me but mine its
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/package.json'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/README.md'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/LICENSE'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/unset-value-4255578a/index.js'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/aws-sdk-8c444618/clients/alexaforbusiness.d.ts'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/protobufjs-497d90ae/docs/fonts/OpenSans-Regular-webfont.woff'
npm WARN tar ENOENT: no such file or directory, open '/home/Bureau/m/node_modules/.staging/chimp-6e0f149b/images/test-frameworks.png'
npm ERR! code E404
npm ERR! 404 Not Found: mailparser@https://registry.npmjs.org/mailparser/-/mailparser-2.2.3.tgz

[Sing-Li]

Thanks @segphault @bosko @evilpacket and @isabellarussell for reporting this!