More than 200 cryptomining packages flood npm and PyPI registry

Sonatype has spotted 186 malicious packages flooding the npm registry today. These packages infect Linux hosts with cryptominers by downloading a malicious Bash script from the threat actor’s server via the Bitly URL shortener service. Our discovery follows another researcher’s discovery of 55 PyPI packages from this week, that also pull crypto miners in an identical fashion from the same offending URL.

186 counterfeit npm packages drop cryptominers

Today, Sonatype’s automated malware detection systems flagged 186 npm packages that all impersonate the heavily used http-errors JavaScript library that gets downloaded over 50 million times on a weekly basis.

The complete list of 186 packages we identified is present in this PDF.

All of these packages were published from a pseudonymous npm account called “17b4a931.”

Many of these packages are typosquats and target users of known libraries like React (typosquat being ‘r2act’) and QT (via ‘qtt’ typosquat).

The index.js file contained within these packages shows they are in fact pulling the legitimate ‘http-errors’ library from npm, so as to not raise eyebrows. But, let’s admit, the names of these packages are drastically different from ‘http-errors’ no matter how impressive a job they may do in impersonating the project’s README verbatim.

Scrolling down past a few lines of code reveals some sinister activity:

On Line 115, we see the packages are pulling content from a Bit.ly URL and silently executing this script while muting its output (via >/dev/null).

The developer behind these malicious packages has even left a snarky comment in the code, acknowledging the malware, being a Bash script, would run on Unix-based systems only:

“if ur using windows for installing this package ur 1 lucky son of a *****”

And the Bit.ly URL redirects to the address shown below:

https://bit[.]ly/3c2tMTT => http://80.78.25[. (Read more…)