A good 1200 packages have appeared on npm in the last few days, which indicate an imminent supply chain attack. Apparently, all packages contain a copy of the code from a cryptocurrency mining package. Currently the code does not start yet because it depends on an external call.
Checkmarx, a company specializing in secure software development, discovered and analyzed the flood of packages on npm. Accordingly, the packages do not come from one or a few, but from just over 1000 automatically created npm accounts. Most of the packages are probably still available on npm.
Prepare for Crypto Mining Attack?
In addition to the code, many packages include the hard-coded username “cute” in the configuration files. Checkmarx has dubbed the attack “cuteboi”, including the obviously not purely coincidental name “cloudboi12”, which one of the automatically created npm accounts has.
In addition to the name, there is a URL in the configuration where the mined cryptocurrency should end up. Checkmarx suspects that an XMRig proxy is running at the address. cuteboi’s packages contain binaries of the XMRig mining software for Linux and Windows, whose names match the associated package. It is not yet clear which software will ultimately start the process in the packages.
npm accounts in bulk
The high number of automatically created npm accounts is remarkable. cuteboi used mail.tm, a one-way mail service. The service has a REST API through which cuteboi has automated the login required to create an npm account via two-factor authentication (2FA).
It is currently still unclear whether the flood of packets is actually preparing a crypto miner attack or is just a large test balloon. The names of cutebois npm packages do not indicate any known attack pattern such as typosquatting, brandjacking or dependency confusion, but appear like randomly generated strings.
Malicious code in open source packages is one of the most common attacks on the software supply chain. Attackers publish supposedly useful packages on package managers that developers use in their applications. Common methods are typosquatting and brandjacking. The latter uses company names like Twilio to spoof a legitimate source.
With typosquatting, malicious code packages are given names similar to popular packages. On the one hand, the method relies on typos and, on the other hand, uses separators such as underscores and hyphens. Out of
my_packet. Someone will make a typing mistake, so the legitimate hope of the attackers.
Another attack vector are initially useful and harmless packages that only bring the malicious code with them when they have reached a certain distribution. The npm team discovered such a package in 2019 with electron-native-notify. Finally, Dependency Confusion attempts to replace internally hosted dependencies with external packages of the same name containing malicious code. The latter are given a high version number because the package installation tools such as pip use the package with the highest number, which is supposed to be the most up-to-date, depending on the setting.
Checkmarx has created a dedicated website to follow cuteboi’s activities on npm. The open source project is also available on GitHub. More details can be found on the Checkmarx blog.