Large-scale cryptomining campaign is targeting the NPM repositorySecurity Affairs

Researchers uncovered a large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository.

Checkmarx researchers spotted a new large-scale cryptocurrency mining campaign, tracked as CuteBoithat is targeting the NPM JavaScript package repository.

Threat actors behind the campaign published 1,283 malicious modules in the repository and used over 1,000 different user accounts. The researchers uncovered the supply chain attack after notocing a burst of suspicious NPM users and packages automatically created.

Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point. ” reads the post published by Checkmarx. “We dubbed this new actor” CuteBoi “as a tribute to the” cute “username hardcoded in many of the packages’ configuration files and to one of the non-random NPM usernames the Attacker is using,”cloudyboi12

The rogue packages contain a duplicate of the code of the eazyminer package, a JS wrapper around the XMRig mining software. The wrapper was designed to utilize unused resources of systems such as ci / cd and web servers.

The researchers pointed out that installing the malicious packages will have no negative effect on the machine. The miner functionality can be triggered from within another program and does not work as a standalone tool, this means that it will not run upon installation.

CuteBoi relies on a disposable email service called mail.tm to automate the creation of the users that uploads the packages to the NPM repository.

mail.tm provides REST API to allow to open disposable mailboxes and read the received emails sent to them with a simple API call. In this, operators behind the CuteBoi campaign can bypass NPM 2FA challenge when creating a user account.

“CuteBoi is the second attack group seen this year using automation to launch large-scale attacks on NPM. We expect we will continue to see more of these attacks as the barrier to launching them is getting lower. ” concludes the experts.

Recently security experts spotted another large-scale supply chain attack, tracked as IconBurst, which aimed at stealing sensitive data from forms embedded in downstream mobile applications and websites.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, CuteBoi)












Source

Researchers uncovered a large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository.

Checkmarx researchers spotted a new large-scale cryptocurrency mining campaign, tracked as CuteBoithat is targeting the NPM JavaScript package repository.

Threat actors behind the campaign published 1,283 malicious modules in the repository and used over 1,000 different user accounts. The researchers uncovered the supply chain attack after notocing a burst of suspicious NPM users and packages automatically created.

Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point. ” reads the post published by Checkmarx. “We dubbed this new actor” CuteBoi “as a tribute to the” cute “username hardcoded in many of the packages’ configuration files and to one of the non-random NPM usernames the Attacker is using,”cloudyboi12

The rogue packages contain a duplicate of the code of the eazyminer package, a JS wrapper around the XMRig mining software. The wrapper was designed to utilize unused resources of systems such as ci / cd and web servers.

The researchers pointed out that installing the malicious packages will have no negative effect on the machine. The miner functionality can be triggered from within another program and does not work as a standalone tool, this means that it will not run upon installation.

CuteBoi relies on a disposable email service called mail.tm to automate the creation of the users that uploads the packages to the NPM repository.

mail.tm provides REST API to allow to open disposable mailboxes and read the received emails sent to them with a simple API call. In this, operators behind the CuteBoi campaign can bypass NPM 2FA challenge when creating a user account.

“CuteBoi is the second attack group seen this year using automation to launch large-scale attacks on NPM. We expect we will continue to see more of these attacks as the barrier to launching them is getting lower. ” concludes the experts.

Recently security experts spotted another large-scale supply chain attack, tracked as IconBurst, which aimed at stealing sensitive data from forms embedded in downstream mobile applications and websites.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs hacking, CuteBoi)












Source

More from author

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Related posts

Advertismentspot_img

Latest posts

Multiple Vulnerabilities Discovered in Device42 Asset Management Appliance

A series of vulnerabilities on the popular asset management platform Device42 could be exploited to give attackers full root access to the system, according...

Top 5 best backup practices

Give yourself peace of mind by implementing a new backup strategy with our tips....

Indian Power Sector targeted with latest LockBit 3.0 variant

Estimated reading time: 5 minutesAfter the infamous Conti ransomware group was disbanded, its former members began to target the energy and power sectors...

Want to stay up to date with the latest news?

We would love to hear from you! Please fill in your details and we will stay in touch. It's that simple!