Malicious NPM Packages Caught Working Cryptominer On Home windows, Linux, macOS Gadgets


Three JavaScript libraries uploaded to the official NPM package deal repository have been unmasked as crypto-mining malware, as soon as once more demonstrating how open-source software program package deal repositories have gotten a profitable goal for executing an array of assaults on Home windows, macOS, and Linux techniques.

The malicious packages in query — named okhsa, klow, and klown — had been printed by the identical developer and falsely claimed to be JavaScript-based user-agent string parsers designed to extract {hardware} specifics from the “Consumer-Agent” HTTP header. However unbeknownst to the victims who imported them, the writer hid cryptocurrency mining malware contained in the libraries.

Automatic GitHub Backups

The dangerous actor’s NPM account has since been deactivated, and all of the three libraries, every of which had been downloaded 112, 4, and 65 instances respectively, have been faraway from the repository as of October 15, 2021.

Assaults involving the three libraries labored by detecting the present working system, earlier than continuing to run a .bat (for Home windows) or .sh (for Unix-based OS) script. “These scripts then obtain an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to make use of, the pockets to mine cryptocurrency for, and the variety of CPU threads to make the most of,” Sonatype safety researcher Ali ElShakankiry mentioned.

NPM Package

That is removed from the primary time brandjacking, typosquatting, and cryptomining malware have been discovered lurking in software program repositories.

Prevent Data Breaches

Earlier this June, Sonatype, and JFrog (previously Vdoo) recognized malicious packages infiltrating the PyPI repository that secretly deployed crypto-miners on the affected machines. That is however copycat packages named after repositories or parts used internally by high-profile tech firms in what’s referred to as dependency confusion.



Leave A Reply

Your email address will not be published.