Crook looks set to increase NPM’s crypto mining campaign • The Register

An outbreak of nearly 1,300 JavaScript packages automatically created on NPM via more than 1,000 user accounts could be the first step in a major crypto mining campaign, according to researchers at Checkmarx.

The creation of 1,283 packages and 1,027 user accounts seems to be the work of someone experimenting with what they can do.

The effort – called CuteBoi due to the use of “cute” in the username hardcoded in many of the packages’ configuration files and a non-random NPM username cloudyboi12 – comes as another software supply chain attack, called IconBurst, involving NPM JavaScript packages and squatting errors.

The goal of IconBurst was to collect sensitive data from forms in mobile applications and websites that incorporated JS libraries that were deliberately misspelled to trick coders into using them.

Microsoft GitHub-owned NPM hosts hundreds of thousands of developer JavaScript packages. This makes it an attractive target for miscreatives, as tampering with one or more of these libraries in one way or another – or tricking programmers into using booby-trapped, similarly named packages – allows malware to be injected into libraries and applications downstream. which depend on the code.

It is largely the same as the supply chain attacks involving SolarWinds and Kaseya. Verizon noted in its 2022 Data Breach Investigations Report that supply chain-based intrusions account for about 10 percent of all cyber security incidents.

Deepen Desai, CISO and vice president of security research and operations at zero-trust security provider Zscaler, said The register Last month, supply chain attacks, which began as nation-state espionage operations, are increasingly being adopted by financially motivated criminal groups.

NPM has been hit by its share of security issues over the past couple of years, ranging from authorization and credentials issues to mining malware for crypto-mining embedded in an npm package discovered in October 2021.

In the latter case, Checkmarx researchers noticed a flood of suspicious NPM users and packages created automatically over a number of days, with all packages containing code almost identical to the Eazyminer package designed to recover Monero using unused resources of such machines as CI / CD and web servers.

Eazyminer and its sudden rush of clones are just a wrapper around the XMRig mining tool, and must be incorporated into a program before they can begin mining. It seems that someone at this stage is trying to flood NPM with randomly named packages that can be used by other libraries and applications to extract Monero.

“Downloading and installing these packages will have no adverse effect on the computer,” the researchers wrote. “The copied code from Eazyminer includes a miner functionality intended to be triggered from another program and not as a standalone tool. The attacker did not change this feature in the code and for that reason it will not run during installation.”

That said, CuteBoi changed eazyminer’s configuration files, specifying the server to which the recovered cryptocurrency should be sent.

“At the heart of these packages are the XMRig miners,” the researchers wrote. “Their binaries, compiled for Windows and Linux systems, are sent with the packages. The attacker renames these binaries to match the random names of the package itself.”

The automation CuteBoi uses to create its army of accounts and packages is not unique. Checkmarx wrote in March about how an cybercrime group called Red-Lili automatically created hundreds of NPM accounts and malicious packages – one package per user – as part of an addiction confusion attack.

In the case of Red-Lili, the analysts’ attacker started a host server to support such automation. However, it seems that CuteBoi in this case found a way to launch such an attack without hosting a custom server and registering domains. “

In addition, it seems that the CuteBoi brain uses mail.tm, a provider of free disposable mailboxes that can be accessed via simple web API calls. Using this process, CuteBoi is able to create a series of NPM user accounts and provide a working email address for each of them, which (for one thing) is required for two-factor authentication purposes.

Checkmarx created a website called CuteBoi Tracker that can be used to inspect all the packages and users created for the campaign. The vendor also made the tracker available on GitHub.

“CuteBoi is the second attack group seen this year using automation to launch major attacks on NPM,” they wrote. “We expect to continue to see more of these attacks as the barrier to launching them becomes lower.” ®

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *