Newly found npm malware mines cryptocurrency on Windows, Linux, macOS devices

October 20, 2021 By Ax Sharma

5 minute read time

Sonatype's automated malware detection system has caught multiple malicious packages on the npm registry this month. These packages disguise themselves as legitimate JavaScript libraries but were caught launching cryptominers on Windows, macOS and Linux machines.

The malicious packages are:

  • okhsa
  • klow
  • klown

"klow, klown" have been tracked under Sonatype-2021-1472. Whereas, "okhsa" has been cataloged under Sonatype-2021-1473.

Different versions of the "okhsa" package largely contain skeleton code that launches the Calculator app on Windows machines pre-installation. But additionally, these versions contain either the "klow" or the "klown" npm package as a dependency — which is malicious.

The manifest file, package.json, for "okhsa" shows "klown" listed as a dependency.

Screenshot of the The manifest file, package.json, for “okhsa” shows “klown” listed as a dependency.

All of these packages were published by the same author whose account has since been deactivated:

Screenshot of author page on npm for wozheqirsplu, showing that he posted both malicious components

The Sonatype security research team discovered that "klown" had emerged within hours of "klow" having been removed by npm. "Klown" falsely touts itself to be a legitimate JavaScript library "UA-Parser-js" to help developers extract the hardware specifics (OS, CPU, browser, engine, etc.) from the "User-Agent" HTTP header.

Screenshot of Klown” falsely touting itself to be a legitimate JavaScript library “UA-Parser-js”

But, Sonatype security researcher Ali ElShakankiry who analyzed these packages explains, "Packages 'klow' and 'klown' contain a cryptocurrency miner. These packages detect the current operating system at the preinstall stage, and proceed to run a .bat or .sh script depending on if the user is running Windows, or a Unix-based operating system."

"These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize."

One of the Batch scripts found in the "klown" package are shown below:

Screenshot of One of the Batch scripts found in the “klown” package

The script downloads the "jsextension.exe" from a Russia-based host 185.173.36[.]219.

The EXE is a known cryptominer, as previously flagged by VirusTotal. For Linux and macOS installations, an identical Bash script downloads the "jsextension" ELF binary from the same host.

Shown below is a screenshot from a test run of the crypto mining EXE, generated via any.run. Note, the malicious EXE runs quietly in the background on an infected machine, but for the purposes of demonstration we are showing how the process would appear if it wasn't hidden:

a screenshot from a test run of the crypto mining EXE, generated via any.run

It isn't clear how the author of these packages aims to target developers. There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. "Klow(n)" does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt.

The Sonatype security research team reported these malicious packages to npm on October 15, 2021, hours after their release, and the packages were taken down the same day by the npm security team.

Evolving open source supply-chain attacks warrant advanced protection

Once again, this particular discovery is a further indication that developers are the new target for adversaries over the software they write. Sonatype has been tracing novel brandjacking, typosquatting, and cryptomining malware lurking in software repositories. We've also found critical vulnerabilities and next-gen supply-chain attacks, as well as copycat packages targeting well-known tech companies.

The good news is, over the past few weeks, our automated malware detection system has caught thousands of suspicious packages on npm. These components are either confirmed malicious, previously known to be malicious, or dependency confusion copycats.

We are now expanding our malware detection capabilities via Sonatype Intelligence to other ecosystems as well, such as PyPI.

All of this takes more than just due diligence and luck – it takes the expertise of experienced security professionals and hundreds of terabytes of data. In order to keep pace with malware mutations, Sonatype analyses every newly released npm package to keep developers safe.

We help you remain proactive and safeguard your software supply chains against up-and-coming attacks. Our AI/ML-powered automated malware detection system (which is part of Sonatype Repository Firewall and powered by Sonatype Intelligence data), and security research team work together for full-spectrum protection. Sonatype determines a likely malicious component based on historical supply chain attacks and over five-dozen "signals." This insight enables flagging for potential new attacks before security researchers discover them.

article - repo firewall flowchart

As soon as our system flags a package or a dependency as "suspicious," it undergoes a quarantine queue for manual review by the Sonatype Security Research Team. Users of Sonatype Repository Firewall are then protected from these suspicious packages while the review is underway. Existing components are quarantined before they are pulled "downstream" into a developer’s open source build environment.

Moreover, users that have enabled the "Dependency Confusion Policy" feature will get proactive protection from dependency confusion attacks. This works whether conflicting package names exist in a public repository or in your private, internal repos.

Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.st content here…

Update: Following our disclosure of these malicious packages, the legitimate library "ua-parser-js" used by millions was itself was found to be compromised. We have released a subsequent blog post covering the "ua-parser-js" compromise.

Tags: vulnerabilities, featured, Nexus Intelligence Insights

Written by Ax Sharma

Ax is a Security Researcher at Sonatype and Engineer who holds a passion for perpetual learning. His works and expert analyses have frequently been featured by leading media outlets. Ax's expertise lies in security vulnerability research, reverse engineering, and software development. In his spare time, he loves exploiting vulnerabilities ethically and educating a wide range of audiences.