Researchers at security vendor Sonatype say they have found 186 malicious packages in the npm Javascript library registry, which infect Linux hosts with crypto currency mining applications.
Sonatype said many of the packages, published by the same pseudonymous npm account, typo-squat to trick users of well-known software like React, using names like r2act.
The malicious packages download a malicious Bash shell script to fetch the Monero crypto mining code from the threat actor’s server, Sonatype said.
Sonatype noted that another researcher, Hauke Lübbers, had spotted 55 malicious packages from the Python language PyPI registry also tried to download similar cryptomining scripts from the same server as above.
“Uff, the actor has uploaded 22 more packages since all others had been removed 35 minutes ago. That’s one way for me to stay up to date on the latest hip python libraries i guess…”, Lübbers said.
Uff, the actor has uploaded 22 more packages since all others had been removed 35 minutes ago. That’s one way for me to stay up to date on the latest hip python libraries i guess…
— Hauke Lübbers (@streamlin3d) August 17, 2022
Earlier on, code vulnerability research firm Snyk spotted 12 malicious PyPi packages from the same author aimed at compromising Windows hosts.
The packages, with names like “hackerfilelol”, would attempt to download malicious files from the chat app Discord’s content delivery network, the researchers said.
On execution, the malware would attempt to exfiltrate Google Chrome passwords, cookies, history and other data, as well as stealing Discord tokens and injecting a persistent malicious agent in the chat app process.
The malware would also attempt to steal Roblox cookies and payments data, the Snyk researchers said.
This news is republished from another source. You can check the original article here
Be the first to comment