Crypto-miner found hidden inside three npm libraries
The three files, disguised as user-agent string parsers, would detect the user’s operating system and then run a BAT or Shell script, based on the victim’s platform.
“These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize,” said Sonatype security researcher Ali ElShakankiry, who discovered the campaign.
This campaign’s specifics include:
- The names of the three npm packages were: klow, klown, okhsa.
- The packages were live only for a day, on October 15.
- None of the three libraries were downloaded more than 150 times, individually.
- The final payloads (cryptominers) could run on Windows or Linux platforms.
- All three packages were uploaded from the same account.
The number of malicious packages uploaded on the npm repository has been rising, but this is actually a good thing rather than a negative aspect, as this is the byproduct of companies like Snyk and Sonatype constantly monitoring new uploads and package updates for malicious code and catching miscreants before they do more damage and before packages are downloaded thousands of times in real-world projects.