Someone may be prepping an NPM crypto-mining spree
1,300 packages from 1,000 automated user accounts set the stage for something big
The creation of 1,283 packages and 1,027 users accounts seems to be the work of someone experimenting with what they might be able do.
The goal of IconBurst was to collect sensitive data from forms in mobile applications and websites that incorporated JS libraries that were deliberately misspelled to hoodwink coders into using them.
It's pretty much along the same lines as the supply chain attacks involving SolarWinds and Kaseya. Verizon noted in its 2022 Data Breach Investigations Report that supply-chain-based intrusions account for about 10 percent of all cybersecurity incidents.
Deepen Desai, CISO and vice president of security research and operations at zero-trust security vendor Zscaler, told The Register last month supply-chain attacks, which started out as nation-state espionage operations, are increasingly being adopted by financially motivated crime groups.
NPM has been hit with its share of security issues over the past couple of years, ranging from authorization and credential problems to crypto-mining mining malware embedded in an npm package that was detected in October 2021.
- Intel ships crypto-mining ASIC at the worst possible time
- China's blockchain boosters slam crypto as Ponzi scheme
- Investors start betting against Bitcoin with short-trade products
- Clipminer rakes in $1.7m in crypto hijacking scam
In the most recent case, Checkmarx researchers noted a flood of suspicious NPM users and packages being automatically created over a number of days, with all of the packages containing code that is almost identical to the Eazyminer package, designed to mine Monero by utilizing unused resources of such machines as CI/CD and web servers.
Eazyminer and its sudden rush of clones are just a wrapper around the XMRig mining tool, and need to be incorporated into a program before they can start mining. It appears, at this stage, someone is trying to flood NPM with randomly named packages that can be used by other libraries and applications to mine Monero.
"Downloading and installing these packages will have no negative effect on the machine," the researchers wrote. "The copied code from Eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool. The attacker didn't change this feature of the code and for that reason, it won't run upon installation."
That said, CuteBoi did modify eazyminer's configuration files, specifying the server the mined cryptocurrency should be sent to.
"At the heart of these packages are the XMRig miners," the researchers wrote. "Their binaries, compiled for Windows and Linux systems, are shipped along with the packages. The attacker changes the names of these binaries to match the random names of the package themselves."
The automation CuteBoi is using to create its army of accounts and packages is not unique. Checkmarx in March wrote about how a cybercrime group it called Red-Lili automatically created hundreds of NPM accounts and malicious packages – one package per user – as part of a dependency confusion attack.
In the case of Red-Lili, the analysts "saw the attacker launch a self-hosted server to support such automation. However, it seems that in this case, CuteBoi found a way to launch such attack without hosting a custom server and registering domains."
In addition, the CuteBoi mastermind appears to be using mail.tm, a provider of free disposable mailboxes that can be accessed via simple web API calls. Using this process, CuteBoi is able to create a slew of NPM user accounts and provide a working email address for each of them, which (for one thing) is required for two-factor authentication purposes.
Checkmarx created a website called CuteBoi Tracker that can be used to inspect all the packages and users created for the campaign. The vendor also made the tracker available on GitHub.
"CuteBoi is the second attack group seen this year using automation to launch large-scale attacks on NPM," they wrote. "We expect we will continue to see more of these attacks as the barrier to launch them is getting lower." ®