According to Checkmarx researchers, a burst of about 1,300 JavaScript packages automatically created by NPM through over 1,000 user accounts could be the first step in a major crypto mining campaign.
Creating 1,283 packages and 1,027 user accounts seems to be the job of someone experimenting with what they might be able to do.
Effort – Dubbed CuteBoi Many of the package’s configuration files use “cute” as the hard-coded username and the non-random NPM username cloudyboi12, which is being dubbed as another software supply chain attack. IconBurstmake Involvement NPM JavaScript package and typo.
IconBurst’s goal was to collect sensitive data from mobile applications and website forms. This library contains a JS library that was intentionally misspelled by a food wink coder.
Owned by Microsoft GitHub, NPM hosts hundreds of thousands of JavaScript packages for developers. Modifying one or more of these libraries in some way or tricking programmers into using a booby-trapped package with a similar name will inject malware into downstream libraries and applications that depend on code. The potential makes it an attractive target for malicious users.
This is about the same line that supply chain attacks are involved in. SolarWinds When Kasaya.. In a 2022 data breach investigation report, Verizon states that supply chain-based intrusions account for about 10% of all cybersecurity incidents.
Deepen Desai, CISO and Vice President of Security Research and Operations at Zscaler, a zero trust security vendor, said: Register Supply chain attacks, which began as a nation-state espionage last month, are increasingly being adopted by economically motivated criminal groups.
NPM has been hit by a share of security issues over the last two years. Approval When Credential issue To crypto mining mining malware embedded in the npm package detected in October 2021.
In recent cases, Checkmarx researchers have found that suspicious NPM users and packages are automatically created over the course of a few days, and all packages are Eazyminer packages designed to mine Monero using unused resources. I pointed out that it contains almost the same code as. For machines such as CI / CD and web servers
The proliferation of Eazyminer and its sudden clones is just a wrapper for the XMRig mining tool and should be incorporated into your program before you can start mining. At this stage, it seems that other libraries and applications are trying to flood NPM with randomly named packages that can be used to mine Monero.
“Downloading and installing these packages doesn’t hurt your machine,” the researchers write. “The code copied from Eazyminer contains minor functionality intended to be triggered from within another program rather than as a standalone tool. Because the attacker did not change this functionality in the code. It will not run during installation. “
That said, CuteBoi modified the eazyminer’s configuration file to specify a server to send mined cryptocurrencies.
“At the heart of these packages is the XM Rig miner,” the researchers write. “Binaries compiled for Windows and Linux systems are shipped with the package. An attacker renames these binaries to match the random name of the package itself.”
The automation that CuteBoi uses to create an army of accounts and packages is not unique. March Checkmarx I have written Learn how a cybercriminal group called Red-Lili automatically created hundreds of NPM accounts and a malicious package (one for each user) as part of a dependency disruption attack.
In the case of Red-Lili, analysts said, “I saw an attacker launching a self-hosted server to support such automation, but in this case CuteBoi hosts a custom server to host the domain. Seems to have found a way to launch such an attack without registering. “
In addition, CuteBoi’s mastermind seems to be using mail.tm, a free disposable mailbox provider that can be accessed via a simple Web API call. Using this process, CuteBoi can create a number of NPM user accounts, each with a valid email address. This is necessary (for one) for the purpose of two-factor authentication.
Checkmarx Website It’s called a CuteBoi tracker that you can use to inspect all packages and users created for your campaign.Vendors have also made trackers available at GitHub..
“Cute Boi is the second attack group of the year to launch a major attack on NPM using automation,” they write. “We expect these attacks to increase as the barriers to launching these attacks become lower.” ®
