Credential-stealing code bomb was found lurking in the Node.js open-source code repository. Researchers caught the malware filching credentials from Chrome on Windows systems via ChromePass. The password-stealer is multifunctional: It listens for incoming commands from the attacker s command-and-control (C2) server and can upload files and execute shell commands. Node.JS repository hosts more than 1.5 million unique packages, and serves up 1 billion requests for JavaScript packages per day to around 11 million developers worldwide.
Source: https://threatpost.com/npm-package-steals-chrome-passwords/168004/