Just over 1,200 packages have appeared at npm in the last few days, indicating an impending supply chain attack. Apparently, all packages contain a copy of the code from a cryptocurrency mine package. At this time, the code does not start yet because it depends on an external call.
Checkmarx, a company specializing in secure software development, discovered and analyzed the flow of packages at npm. Therefore, the packages do not come from one or a few, but from more than 1000 automatically created npm accounts. Most of the packages are probably still available at npm.
Prepare for cryptocurrency attacks?
In addition to the code, many packages contain the hard-coded username “sweet” in the configuration files. Checkmarx has dubbed the attack “cuteboi”, including the obviously not purely random name “cloudboi12”, which one of the automatically created npm accounts has.
In addition to the name, there is a URL in the configuration where the mined cryptocurrency should end. Checkmarx suspects that an XMRig proxy is running at the address. cutebois packages contain binaries of the XMRig mining software for Linux and Windows, the names of which match the associated package. It is not yet clear which software will eventually start the process in the packages.
npm accounts in bulk
The high number of automatically created npm accounts is remarkable. cuteboi used mail.tm, a one-way mail service. The service has a REST API through which cuteboi has automated the two-factor authorization login required to create an npm account.
It is currently still unclear whether the flood of packages is actually preparing for a cryptocurrency attack or is just a large test balloon. The names of cutebois npm packs do not indicate any known attack pattern such as typosquatting, brandjacking or addiction confusion, but appear as randomly generated strings.
Malicious code in open source packages is one of the most common attacks on the software supply chain. Attackers allegedly release useful packages on package administrators that developers use in their applications. Common methods are typosquatting and brandjacking. The latter uses company names like Twilio to falsify a legitimate source.
With typosquatting, malicious code packets get names similar to popular packets. On the one hand, the method is dependent on spelling errors, and on the other hand, separators are used as underscores and hyphens. Out of
my_packet. Someone will make a typo, leaving the attackers’ legitimate hopes.
Another attack vector is initially useful and harmless packages that only bring the malicious code with them once they have reached a certain distribution. The npm team discovered such a package in 2019 with electron-native-notify. Finally, Dependency Confusion tries to replace internally hosted dependencies with external packages of the same name that contain malicious code. The latter gets a high version number because the package installation tools such as pip use the package with the highest number, which is supposed to be the most up-to-date, depending on the setting.
Checkmarx has created a dedicated website to track cutebois activities at npm. The open source project is also available on GitHub. More details can be found on the Checkmarx blog.