An unidentified threat group has launched a newly spotted crypto mining campaign called CuteBoi to conduct a malicious attack that targets the NPM JavaScript package repository. Based on the analysis, the threat actors used the term “cute” as a username and was hardcoded in numerous packages and a non-random NPM username.
The researchers also noticed a username that allegedly belonged to an attack named cluodyboi12.
The recent crypto mining campaign includes over 1,200 malicious modules published throughout nearly a thousand automated user accounts. Moreover, the automation contained the ability to avoid the NPM 2FA security feature.
The packages also included nearly identical source code from a previously identified package, called eazyminer. The threat actors utilise the miner to compromise Monero by using unused resources on web servers.
Additionally, the newly discovered crypto mining campaign utilises a disposable email service coded as mail[.]tm.
The CuteBoi crypto mining attack may be a dry run for something grander.
According to the researchers, the CuteBoi crypto mining attack’s package cluster is a portion of an experimentation process by them to test its capabilities. Furthermore, the research group noticed that the packages included XMRig miners, whose binaries were delivered with malicious packages.
The threat actors could include the binaries to the packages by modifying their names to match the random package titles. The group’s original automation strategy launches an attack without registering domains and hosting a custom server.
Currently, there are numerous NPM attacks as the cryptocurrency landscape expands. Recently, in an NPM supply chain attack, IconBurst used a typosquatting strategy to compromise developers that hunts for popular packages.
Researchers indicated that one of the malicious packages was downloaded by users more than 17 thousand times, which may have impacted thousands of developers.
The versatility of NPM packages gave tons of abilities that software developers can utilise. However, these abilities also held numerous security risks. Therefore, experts suggest that software developers should be cautious in trusting these packages.
Cybersecurity experts suggest that these developers follow proper security measures, such as inspecting the code repository to minimise the chances of getting infected by malicious packages.
