Prepare for Crypto Miner Attack: Hundreds of Suspicious Packages on npm

A good 1200 packages have appeared on npm in the last few days, which indicate an imminent supply chain attack. / Crypto Miner Attack

Apparently, all packages contain a copy of the code from a cryptocurrency mining package. Currently the code does not start yet because it depends on an external call.

Checkmarx, a company specializing in secure software development, discovered and analyzed the flood of packages on npm. Accordingly, the packages do not come from one or a few, but from just over 1000 automatically created npm accounts. Most of the packages are probably still available on npm.

Prepare for Crypto Mining Attack?

According to Checkmarx, all packages contain a nearly identical copy of the legitimate package eazyminer, which in turn is a JavaScript wrapper for the C++ XMRig software for mining the cryptocurrency Monero. The package uses unused resources on web servers and CI/CD (Continuous Integration / Continuous Delivery) systems, among others. It runs on the lowest CPU priority so as not to affect the computers.

In addition to the code, many packages include the hard-coded username “cute” in the configuration files. Checkmarx has dubbed the attack “cuteboi”, including the obviously not purely coincidental name “cloudboi12”, which one of the automatically created npm accounts has.

In addition to the name, there is a URL in the configuration where the mined cryptocurrency should end up. Checkmarx suspects that an XMRig proxy is running at the address. cuteboi’s packages contain binaries of the XMRig mining software for Linux and Windows, whose names match the associated package. It is not yet clear which software will ultimately start the process in the packages.

npm accounts in bulk

The high number of automatically created npm accounts is remarkable. cuteboi used mail.tm, a one-way mail service. The service has a REST API through which cuteboi has automated the login required to create an npm account via two-factor authentication (2FA).

It is currently still unclear whether the flood of packets is actually preparing a crypto miner attack or is just a large test balloon. The names of cutebois npm packages do not indicate any known attack pattern such as typosquatting, brandjacking or dependency confusion, but appear like randomly generated strings.

Leave a Reply

Your email address will not be published.