Intrigued by the presence of executable code for Windows, PE files on the graph, we decided to dig in and take a closer look at the packages containing this file type. Among the plethora of Mono .NET applications and common third-party libraries, stood a pretty well-known potentially unwanted application - a password recovery tool. We call these kinds of applications potentially unwanted as their use, or misuse, has to be put in context. A password recovery tool used to refresh your memory when you forget a website credential is OK, but it being found in NPM repository, probably not OK.

facebook password recovery 1.0.1

2018-03-04 14:26:18bb-builder project is updated to version 1.0.1. This is the first version to include the password recovery tool. Its use, however, is rudimentary. The JavaScript code just calls the tool to log the passwords to an HTML file. This is likely done to test the level of security the NPM repository has, if it would detect the password recovery tool and block the package as malicious.

2018-03-04 14:55:47bb-builder project is updated to version 1.0.2. Dependency on Axios package is added, an HTTP client that can post web requests. This dependency is used to submit the password recovery output to a web server hosted here [.]host[.]jwte[.]ch:1337/pwn

If the password is already saved on the browser, then download software called FacebookPasswordDecryptor which shows the detected facebook passwords stored through Internet Explorer, Chrome, or other browsers. Just download and run the program and soon you will have the necessary details.

What caught the researcher's eye were the PE (portable executable files), so he decided to check the packages that included this type of files. From the entire bunch, a password recovery tool stood out.

"The password recovery tool in question is WebBrowserPassView. It is used to recover website login information stored by Internet Explorer, Mozilla Firefox, Google Chrome, Safari, and Opera browsers."

Version 1.0.1 of the project was the first one to include the password recovery tool. Every new iteration of 'bb-builder' added new functionality, such as a dependency to submit the credentials to the author's web sever, changing the storage location for the stolen data, fixing bugs, or deleting it after being sent to a remote machine. 2ff7e9595c