January 17, Checkpoint found 16 malicious bags loaded into the NPM online referencing-open source code packages that are actively used by software developers. All 16 packages were loaded in the NPM by the user under the nickname “Trendava”. According to the NPM report, all malicious packages were removed from the repository the next day after loading.
The names of harmful packages setting cryptocurrency miners are listed below:
Lagra, Speedtesta, Speedtestbom, Speedtestfast, Speedtestgo, Speedtestgod, Speedtestis, Speedtestkas,
Speedtesto, Speedtestrun, SpeedTestSolo, SpeedTestSpa, SpeedTestwow, SpeedTestzo, Trova, Trovam.
Most packages have a name resembling Internet speed testers, but they are all cryptocurrency miners. Checkpoint analysts also found that each package uses different code and methods to complete their tasks.
“It is fair to assume that these differences are a kind of test that the attacker performed, not knowing in advance which version will be detected by the tools for the search for harmful packages. In some cases, harmful bags directly interact with cryptopuls, and in some – use third -party executable files For this purpose, ”CHECKPoint representatives comment on the situation.
A package called “SpeedTestSPA”, for example, loads the assistant from Gitlab and uses it to connect cryptocurrencies to the mining pool, while the SpeedTestkas package immediately has a malicious assistant file in its composition. The Speedtestbom package is even further, trying to hide the address of the cryptocurrency mining pool, so it connects to the external IP address to extract the pool. And the SpeedTesto package contains a code from a real speed test utility, therefore it can really be used to perform this task, discarding unnecessary suspicions from the developer.
We previously wrote that on another popular repository for developers – PYPI, several malicious packages were also discovered. True, there was not a crypto -mainer in packages, but an infostiller.
A certain trend is striking: hackers are increasingly aiming at software developers in their attacks. This is probably due to the fact that it is the developers who most often blindly rely on the absence of any threats when using ready-made packages from popular repositories.
Potential risks can be minimized if only authoritative authors are trusted, as well as carefully view the code of any packages before adding them to their project.