Cybersecurity researchers from Check Point have discovered 16 typosquatted packages on the NPM repository that install cryptocurrency miners.
NPM is one of the more popular JavaScript repositories, hosting more than two million open source packages that developers can use to speed up software development.
As such, it’s an attractive target for cybercriminals engaging in supply chain attacks. Developers that download malicious packages risk not only their endpoints, but also those that end up using their products.
Impersonating a speed test package
In this incident, an unknown threat actor using the alias “trendava” uploaded 16 malicious packages on January 17, all of which pretend to be internet speed testers. They all have names similar to an actual speed tester, but they are designed to install a cryptocurrency miner on the target device. Some of the names are speedtestbom, speedtestfast, speedtestgo, and speedtestgod.
A cryptocurrency miner uses the computer’s processing power, electricity, and internet, to generate tokens, which can later be sold on an exchange for fiat currencies (US dollars, euros, etc.). When active, the miner takes up almost all of the device’s computing power, rendering it useless for anything else. Miners are quite popular malware these days, with threat actors looking to install XMRig on servers and other powerful devices. XMRig mines Monero (XMR), a privacy coin that is almost impossible to trace.
NPM removed all of the malicious packages a day after they were uploaded, on January 18.
Commenting on the fact that there are 16 similar packages, the researchers said it is possible that the attackers were engaged in trial-and-error:
“It is fair to assume these differences represent a trial the attacker did, not knowing in advance which version will be detected by the malicious packages’ hunter tools and therefore trying different ways with which to hide their malicious intent,” CheckPoint said. “As part of this effort, we’ve seen the attacker hosting the malicious files on GitLab. In some cases, the malicious packages were interacting directly with the crypto pools, and in some cases, they seem to leverage executables for that need.”
The best way to protect against typosquatting is to be careful when deploying open-source code and only use packages from reputable sources.
Via: BleepingComputer (opens in new tab)
