Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Over 1,200 NPM Packages Found Involved in “CuteBoi” Cryptomining Campaign

Researchers have disclosed what they say could be an attempt to kick-off a new large-scale cryptocurrency mining campaign targeting the NPM JavaScript package repository.

The malicious activity, attributed to a software supply chain threat actor dubbed CuteBoi, involves an array of 1,283 rogue modules that were published in an automated fashion from over 1,000 different user accounts.

“This was done using automation which includes the ability to pass the NPM 2FA challenge,” Israeli application security testing company Checkmarx said. “This cluster of packages seems to be a part of an attacker experimenting at this point.”

All the released packages in question are said to harbor near-identical source code from an already existing package named eazyminer that’s used to mine Monero by means of utilizing unused resources on web servers.

One notable modification entails the URL to which the mined cryptocurrency should be sent, although installing the rogue modules will not bring about a negative effect.

“The copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool,” researcher Aviad Gershon said. “The attacker didn’t change this feature of the code and for that reason, it won’t run upon installation.”

Like observed in the case of RED-LILI earlier this year, the packages are published via an automation technique that allows the threat actor to defeat two-factor authentication (2FA) protections.

However, while the former involved setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically create an NPM user account and defeat 2FA, CuteBoi relies on a disposable email service called mail.tm.

Specifically, it employs a REST API offered by the free platform that enables “programs to open disposable mailboxes and read the received emails sent to them with a simple API call.” This allows the threat actor to circumvent 2FA when creating a flood of user accounts to publish the packages.

The findings coincide with another NPM-related widespread software supply chain attack dubbed IconBurst that’s engineered to harvest sensitive data from forms embedded in downstream mobile applications and websites.

Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.

Related News

LastPass Discloses Second Breach in Three Months

LastPass Discloses Second Breach in Three Months

An attacker who breached the software development environment at LastPass this August and stole source code and other proprietary data…
Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

Artifact Poisoning in GitHub Actions Imports Malware via Software Pipelines

An attacker submitting changes to an open source repository on GitHub could cause downstream software projects that include the latest…
One Year After Log4Shell, Most Firms Are Still Exposed to Attack

One Year After Log4Shell, Most Firms Are Still Exposed to Attack

The Log4j vulnerability continues to present a major threat to enterprise organizations one year after the Apache Software Foundation disclosed…