Crypto-miner found hidden inside three npm libraries

DevOps security firm Sonatype has uncovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository.

The three files, disguised as user-agent string parsers, would detect the user's operating system and then run a BAT or Shell script, based on the victim's platform.

"These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize," said Sonatype security researcher Ali ElShakankiry, who discovered the campaign.

This campaign's specifics include:

  • The names of the three npm packages were: klowklownokhsa.
  • The packages were live only for a day, on October 15.
  • None of the three libraries were downloaded more than 150 times, individually.
  • The final payloads (cryptominers) could run on Windows or Linux platforms.
  • All three packages were uploaded from the same account.

The number of malicious packages uploaded on the npm repository has been rising, but this is actually a good thing rather than a negative aspect, as this is the byproduct of companies like Snyk and Sonatype constantly monitoring new uploads and package updates for malicious code and catching miscreants before they do more damage and before packages are downloaded thousands of times in real-world projects.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Catalin Cimpanu

Catalin Cimpanu

is a cybersecurity reporter who previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.