1200 NPM Packages in "CuteBoi" Cryptomining Campaign

1200 NPM Packages in "CuteBoi" Cryptomining Campaign


The NPM JavaScript package repository has been the target of a new massive cryptocurrency mining operation, according to researchers who have made this discovery.


An assortment of 1,283 malicious modules was published in an automated fashion from more than 1,000 distinct user accounts, and the malicious activity has been attributed to a threat actor in the software supply chain known as CuteBoi.


The Israeli application security testing company Checkmarx stated that this was accomplished through the use of automation, which included the capacity to successfully complete the NPM 2FA challenge. "At this point in time, it appears that this group of packages is an experiment being conducted by an adversary."


It is believed that all of the aforementioned released packages contain source code that is nearly identical to that of an already existing package known as eazyminer. This particular package is utilized to mine Monero by making use of the unused resources that are found on web servers.


In spite of the fact that installing the malicious modules will not have a negative impact, one notable change involves the URL to which mined cryptocurrency should be sent.


1200 NPM Packages in "CuteBoi" Cryptomining Campaign

According to researcher Aviad Gershon, "the copied code from eazyminer includes a miner functionality intended to be triggered from within another program and not as a standalone tool." This statement was made in reference to the code that was taken from eazyminer. Because the malicious actor who carried out the attack did not modify this aspect of the code, the program cannot be installed and will not run.


The packages are distributed using an automation method, similar to what was seen in the case of RED-LILI earlier this year. This provides the threat actor with the ability to circumvent the protections provided by two-factor authentication (2FA).


1200 NPM Packages in "CuteBoi" Cryptomining Campaign


CuteBoi, on the other hand, uses a service called mail.tm, which is a disposable email provider, rather than setting up a custom server and using a combination of tools like Selenium and Interactsh to programmatically create an NPM user account and defeat 2FA. The former method required setting up a custom server.


The free platform also provides a REST application programming interface (API), which "enables programs to open disposable mailboxes and read the received emails sent to them with a simple API call." This makes it possible for the threat actor to avoid the two-factor authentication challenge when creating a user account.


The findings coincide with another NPM-related widespread software supply chain attack that has been given the name IconBurst. This attack is designed to harvest sensitive data from forms that are embedded in downstream mobile applications and websites.

0 Comments

Your suggestions and comments are welcome

Post a Comment

Your suggestions and comments are welcome

Post a Comment (0)

Previous Post Next Post