BingoTingo Best Place To Gain Knowledge & WP Theme
Check Point cybersecurity researchers have discovered 16 typosquatted packages in the NPM repository that cryptocurrency miners install.
NPM is one of the more popular JavaScript repositories, with over two million open source packages that developers can use to speed up software development.
As such, it is an attractive target for cybercriminals engaged in supply chain attacks. Developers who download malicious packages endanger not only their endpoints, but also those who end up using their products.
Pretending to be a speed test pack
In this incident, an unknown threat actor using the alias “trendava” uploaded 16 malicious packages on January 17, all posing as Internet speed testers. They all have names similar to a real speed tester, but they are designed to install a cryptocurrency miner on the target device. Some names are speedtestbom, speedtestfast, speedtestgo and speedtestgod.
A cryptocurrency miner uses the computer’s processing power, electricity, and internet to generate tokens, which can later be sold on an exchange for fiat currencies (US dollars, euros, etc.). When the miner is active, it takes up almost all of the computing power of the device, making it useless for anything else. Miners are quite popular malware these days, with threat actors looking to install XMRig on servers and other powerful devices. XMRig is mining Monero (XMR), a privacy coin that is nearly untraceable.
NPM removed all malicious packages a day after they were uploaded, on January 18.
Responding to the fact that there are 16 similar packages, the researchers said it was possible that the attackers were trial and error:
“It is reasonable to assume that these discrepancies are a trial that the attacker did, not knowing in advance which version will be detected by the malicious package’s hunter tools and therefore trying different ways to hide their malicious intent,” said CheckPoint. “As part of this effort, we have seen the attacker host the malicious files on GitLab. In some cases, the malicious packages interacted directly with the cryptopools, and in some cases appear to be using executables for that need.”
The best way to protect against typosquatting is to use caution when implementing open-source code and only use packages from trusted sources.
Via: Bleeping Computer (opens in new tab)
