A good 1200 packages have appeared on npm in the last few days, which indicate an imminent supply chain attack. / Crypto Miner Attack
Apparently, all packages contain a copy of the code from a cryptocurrency mining package. Currently the code does not start yet because it depends on an external call.
Checkmarx, a company specializing in secure software development, discovered and analyzed the flood of packages on npm. Accordingly, the packages do not come from one or a few, but from just over 1000 automatically created npm accounts. Most of the packages are probably still available on npm.
Prepare for Crypto Mining Attack?
In addition to the code, many packages include the hard-coded username “cute” in the configuration files. Checkmarx has dubbed the attack “cuteboi”, including the obviously not purely coincidental name “cloudboi12”, which one of the automatically created npm accounts has.
In addition to the name, there is a URL in the configuration where the mined cryptocurrency should end up. Checkmarx suspects that an XMRig proxy is running at the address. cuteboi’s packages contain binaries of the XMRig mining software for Linux and Windows, whose names match the associated package. It is not yet clear which software will ultimately start the process in the packages.
npm accounts in bulk
The high number of automatically created npm accounts is remarkable. cuteboi used mail.tm, a one-way mail service. The service has a REST API through which cuteboi has automated the login required to create an npm account via two-factor authentication (2FA).
It is currently still unclear whether the flood of packets is actually preparing a crypto miner attack or is just a large test balloon. The names of cutebois npm packages do not indicate any known attack pattern such as typosquatting, brandjacking or dependency confusion, but appear like randomly generated strings.