All three malicious packages ( klow , klown and okhsa ) were disguised as user-agent string parsers. However, after downloading, having determined which operating system the victim is working with, they launched the BAT or Shell crypt (depending on the victim’s platform).
“Then these scripts loaded an EXE or Linux ELF hosted on an external server and executed a binary with arguments indicating the mining pool, cryptocurrency wallet and the number of CPU threads used,” Sonatype experts write.
Final payloads (miners) could work both in Windows and Linux.
Fortunately, all three packages were active for only one day, October 15, 2021, and none of them received more than 150 downloads. Interestingly, all three malicious libraries were downloaded from the same account, that is, they were created by one person.
Catch up on more stories here
Follow us on Facebook here