Sonatype: Cryptominers Launched in Windows, macOS, Linux Devices
The researchers reported the malicious packages to npm on Oct. 15, 2021, and it took them down within hours of their release, the report says.
The researchers at Sonatype have attributed the ownership of the malicious packages to an author whose account is currently deactivated, the report notes.
The malicious packages are dubbed okhsa – cataloged as Sonatype-2021-1473 – and klow and klown – catalogued as Sonatype-2021-1472, the report notes.
Okhsa, the researchers say, contains a skeleton code that launches the calculator app on Windows machines before installation. The versions of okhsa that do this also contain the klow or the klown packages as a dependency, according to the report.
“The Sonatype security research team discovered that klown had emerged within hours of klow having been removed by npm,” the report says.
Sonatype researcher Ali ElShakankiry analyzed the packages and found that the klow and klown packages contained cryptocurrency miners.
“These packages detect the current operating system at the preinstall stage, and proceed to run a .bat or .sh script, depending on if the user is running Windows, or a Unix-based operating system,” ElShakankiry notes.
The aforementioned scripts also “download an externally-hosted EXE or a Linux ELF, which then executes the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to use,” the researchers say (see: Is Cryptocurrency-Mining Malware Due for a Comeback?).
The researchers were unable to fully determine how the malicious actor planned to target developers.
“There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. Klow(n) does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt,” the researchers note.
Sonatype did not immediately respond to Information Security Media Group’s request for additional comment.
Attacks Compromising Ecosystems
The researchers at Uptycs Threat Research recently uncovered a campaign in which cloud-focused cryptojacking group TeamTNT was deploying malicious container images hosted on Docker Hub with an embedded script to download testing tools used for banner grabbing and port scanning.
The researchers found that the threat actors scanned for targets in the victim’s subnet and performed malicious activities using the scanning tools inside the malicious Docker image (see: TeamTNT Deploys Malicious Docker Image on Docker Hub).
Pascal Geenens, director of threat intelligence at Radware, tells ISMG that the success of these attacks on ecosystems has not escaped the attention of malicious actors, who are all too happy to embrace yet another opportunity to perpetrate criminal activity.
“They compromise these ecosystems by uploading malicious modules to the online repositories, with the aim of tricking developers into downloading and executing these modules on their systems. These so-called supply chain attacks are not limited to package repositories and open source. The NotPetya and SolarWinds Orion attacks were both the result of compromised commercial software updates,” Geenens notes.
“We’ve been following a recent uptick in adversaries increasingly targeting open-source repos for conducting attacks with different purposes – from stealing sensitive data and system files to cryptomining. We have seen this trend repeatedly, with April’s cryptomining attacks against GitHub, followed by Sonatype’s discovery of PyPI cryptomining malware in June,” Ax Sharma, senior security researcher at Sonatype, tells ISMG.
Geenens says that given the success and size of the ecosystems behind PyPI and npm, there are plenty of opportunities to exploit targets with objectives ranging from reconnaissance to compromise, which include techniques such as information gathering and exfiltration, backdooring, stealing and, in the case of npm, cryptojacking.
Defending Against Dependency Attacks
Sharma warns that the malicious typosquatting, brandjacking and dependency hijacking packages on npm can do everything from exfiltrating minor data to spawning reverse shells and stealing sensitive files, conducting surveillance activities such as keylogging and accessing webcams, and spamming repositories with links to pirated content and warez sites.
“While typosquatting and brandjacking attacks require some form of manual effort on the developer’s part, malicious dependency hijacking attacks are far more dangerous given their automated nature,” he says.
Sharma recommends being wary of typing mistakes. He says, “For example, “twilio-npm” may not be the same package as “twilio.” Have an SBOM, or software bill of materials, to know what dependencies and components make up your application.”
He also recommends keeping an automated solution in place to defend against dependency hijacking attacks, which could be as simple as deploying a script that checks if any public dependencies being pulled into your code have conflicting names with your private dependencies.