Researchers identified 16 new NPM packages that pose as internet speed testers to spread coinminers that could hijack infected devices and mine crypto funds for their operators.
The threat actors uploaded these malicious packages onto NPMan online repository with more than two million open-source JavaScript packages. This platform reaches numerous software developers who help hasten the coding process.
Based on reports, the identified packages appeared in the first weeks of last month. All the malicious NMP packages are uploaded by a user named ‘trendava.’ Fortunately, NPM removed its immediately after receiving notices from researchers.
These NPM packages don the names of seemingly speed testers apps.
Some of the confirmed NPM packages are named lagra, speedtestfast, speedtestgo, speedtestgod, speedtestis, speedtestkas, speedtesto, speedtestzo, trova, and trovam.
Most of the names of the packages display a name for a legitimate speed tester tool. However, these are packages that contain cryptocurrency miners.
Furthermore, even though the packages share similar missions of deploying cryptominers, they still adopt different coding and strategies for accomplishing their objectives.
Cybersecurity experts claimed that the differences among the compromised NPM packages are made on purpose by the threat actors since they do not know which version will be flagged by security detectors. Hence, they employed different tools and tried various methods to hide their tools and objective.
Some researchers have also spotted threat actors that hosted their malicious files on GitLab. In some instances, some packages interact directly with cryptocurrency pools and some leverage executables.
One example of the methods employed by the package developers is the kit offered by speedtestpa. This malicious package downloads a helper from GitLab and utilises it to link to the crypto mining pool. On the other hand, the speedtestkas includes the malicious helper archive in the package.
Experts explained that software developers could mitigate the chances of getting infected by the packages by reviewing the code in any packages they include in their projects. Therefore, software devs should be cautious in downloading suspicious packages to avoid falling victim to cryptominers and hijackers.
