New NPM Malware Mines Cryptocurrency on Windows, Linux, macOS Devices

The automated malware detection system of Sonatype has recently discovered several malicious cryptocurrency mining software on Windows, Linux, macOS Devices. 

All these cryptocurrency mining software were disguised themselves as legitimate JavaScript libraries, and found in three JavaScript libraries that are uploaded to the official NPM repository.

Malicious Packages

There are three malicious packages, and here they are mentioned below:-

  • okhsa
  • klow
  • klown

All these above malicious packages were disguised as User-Agent header parsers and uploaded by the same author on October 15th. However, these three malicious packages were detected immediately and experts reported them to the NPM administration.

And as a result, the NPM administration promptly removed these malicious packages from the official NPM repository, but, before their removal, these packages were already downloaded more than 150 times.

According to the report, Among these three malicious packages, only the klow and klown contained a cryptocurrency miner and the malicious code that was used as dependencies in the okhsa package.

A .bat or .sh script was loaded onto the user’s system depending on the platform used by the user like Windows, Linux, macOS. Once the .bat or .sh script was loaded it starts downloading the EXE or Linux ELF files from an external host, which is later used to execute arguments that intents to the following things:-

  • Mining pool
  • Cryptocurrency wallet address
  • Number of processor threads to use

Here, in the background of an infected system, the malicious EXE runs quietly due to which the whole process remains hidden under the hood. But, it is still not clear that how the operators of these malicious packages target the developers.

Moreover, Sonatype has assured that they are constantly pursuing the following malware hiding in software repositories:-

  • Brandjacking
  • Typosquatting
  • Cryptomining

There are two malicious NPM packages were found in the NPM repository in July of this year 2021, and these two malicious packages were competent in stealing credentials from Google Chrome browsers on Windows systems, and not only that even for spyware activity also install backdoors.

Looking for Best WAF Solutions for your web applications environment?? Register for Free WAF webinar & explore the experts thoughts and Choose the Best one.. Very limited seats available.. grab it here at ProPhaze.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.