Creating 1,283 packages and 1,027 user accounts seems to be the job of someone experimenting with what they might be able to do.
IconBurst’s goal was to collect sensitive data from mobile applications and website forms. This library contains a JS library that was intentionally misspelled by a food wink coder.
This is about the same line that supply chain attacks are involved in. SolarWinds When Kasaya.. In a 2022 data breach investigation report, Verizon states that supply chain-based intrusions account for about 10% of all cybersecurity incidents.
Deepen Desai, CISO and Vice President of Security Research and Operations at Zscaler, a zero trust security vendor, said: Register Supply chain attacks, which began as a nation-state espionage last month, are increasingly being adopted by economically motivated criminal groups.
In recent cases, Checkmarx researchers have found that suspicious NPM users and packages are automatically created over the course of a few days, and all packages are Eazyminer packages designed to mine Monero using unused resources. I pointed out that it contains almost the same code as. For machines such as CI / CD and web servers
The proliferation of Eazyminer and its sudden clones is just a wrapper for the XMRig mining tool and should be incorporated into your program before you can start mining. At this stage, it seems that other libraries and applications are trying to flood NPM with randomly named packages that can be used to mine Monero.
“Downloading and installing these packages doesn’t hurt your machine,” the researchers write. “The code copied from Eazyminer contains minor functionality intended to be triggered from within another program rather than as a standalone tool. Because the attacker did not change this functionality in the code. It will not run during installation. “
That said, CuteBoi modified the eazyminer’s configuration file to specify a server to send mined cryptocurrencies.
“At the heart of these packages is the XM Rig miner,” the researchers write. “Binaries compiled for Windows and Linux systems are shipped with the package. An attacker renames these binaries to match the random name of the package itself.”
The automation that CuteBoi uses to create an army of accounts and packages is not unique. March Checkmarx I have written Learn how a cybercriminal group called Red-Lili automatically created hundreds of NPM accounts and a malicious package (one for each user) as part of a dependency disruption attack.
In the case of Red-Lili, analysts said, “I saw an attacker launching a self-hosted server to support such automation, but in this case CuteBoi hosts a custom server to host the domain. Seems to have found a way to launch such an attack without registering. “
In addition, CuteBoi’s mastermind seems to be using mail.tm, a free disposable mailbox provider that can be accessed via a simple Web API call. Using this process, CuteBoi can create a number of NPM user accounts, each with a valid email address. This is necessary (for one) for the purpose of two-factor authentication.
“Cute Boi is the second attack group of the year to launch a major attack on NPM using automation,” they write. “We expect these attacks to increase as the barriers to launching these attacks become lower.” ®