A new widespread software supply-chain attack has been discovered by researchers, this time consisting of a password stealer harvesting credentials from Chrome on Windows systems via a tool called ChromePass. According to researchers, the campaign was discovered after professionals caught the malware stealing credentials, listening for incoming commands from the attacker’s command and control server, uploading files, recording from screens and cameras on devices, and executing shell commands. The credential-stealing malware uses legitimate password recovery tools in Google’s Chrome web browser. Researchers initially found the malware through an npm open-source code repository.

NPM stands for Node Package Manager, and refers to the default package manager for the JavaScript runtime environment Node.js. This tool is built into Chrome’s V8 Javascript engine and bears similarities to other code repositories hosted by Github and RubyGems. According to researchers, the ecosystem is vast, as the npm hosts more than 1.5 million unique packages and serves up more than a billion JavaScript package requests per day.