Prepare for Crypto Miner Attack: Hundreds of suspicious packages at npm

Just over 1,200 packages have appeared at npm in the last few days, indicating an impending supply chain attack. Apparently, all packages contain a copy of the code from a cryptocurrency mine package. At this time, the code does not start yet because it depends on an external call.

Checkmarx, a company specializing in secure software development, discovered and analyzed the flow of packages at npm. Therefore, the packages do not come from one or a few, but from more than 1000 automatically created npm accounts. Most of the packages are probably still available at npm.

According to Checkmarx, all packages contain an almost identical copy of the legitimate package eazyminer, which in turn is a JavaScript wrapper for the C ++ XMRig software for mining the Monero cryptocurrency. The package uses, among other things, unused resources on web servers and CI / CD (Continuous Integration / Continuous Delivery) systems. It runs on the lowest CPU priority so as not to affect the computers.

In addition to the code, many packages contain the hard-coded username “sweet” in the configuration files. Checkmarx has dubbed the attack “cuteboi”, including the obviously not purely random name “cloudboi12”, which one of the automatically created npm accounts has.

The configuration file contains a URL and the uniform username “sweet”.

(Image: Checkmarx)

In addition to the name, there is a URL in the configuration where the mined cryptocurrency should end. Checkmarx suspects that an XMRig proxy is running at the address. cutebois packages contain binaries of the XMRig mining software for Linux and Windows, the names of which match the associated package. It is not yet clear which software will eventually start the process in the packages.

The high number of automatically created npm accounts is remarkable. cuteboi used, a one-way mail service. The service has a REST API through which cuteboi has automated the two-factor authorization login required to create an npm account.

The REST API for a one-way mail service helped with the two-factor authorization to create new users.

(Image: Checkmarx)

It is currently still unclear whether the flood of packages is actually preparing for a cryptocurrency attack or is just a large test balloon. The names of cutebois npm packs do not indicate any known attack pattern such as typosquatting, brandjacking or addiction confusion, but appear as randomly generated strings.

Malicious code in open source packages is one of the most common attacks on the software supply chain. Attackers allegedly release useful packages on package administrators that developers use in their applications. Common methods are typosquatting and brandjacking. The latter uses company names like Twilio to falsify a legitimate source.

With typosquatting, malicious code packets get names similar to popular packets. On the one hand, the method is dependent on spelling errors, and on the other hand, separators are used as underscores and hyphens. Out of my-packet becomes my-paket, mypacket or my_packet. Someone will make a typo, leaving the attackers’ legitimate hopes.

Another attack vector is initially useful and harmless packages that only bring the malicious code with them once they have reached a certain distribution. The npm team discovered such a package in 2019 with electron-native-notify. Finally, Dependency Confusion tries to replace internally hosted dependencies with external packages of the same name that contain malicious code. The latter gets a high version number because the package installation tools such as pip use the package with the highest number, which is supposed to be the most up-to-date, depending on the setting.

Checkmarx has created a dedicated website to track cutebois activities at npm. The open source project is also available on GitHub. More details can be found on the Checkmarx blog.


To the start page

Leave a Comment