CuteBoi Cryptomining Campaign - 1,300 NPM Packages, 1,000 Automated User Accounts

Diving into details

• The campaign involves 1,283 malicious modules, published via more than 1,000 automated user accounts. 
• The automation included the capability to bypass the NPM 2FA challenge.
• The packages contain almost identical source code, sourced from an existing package, named eazyminer. It is used to mine Monero by using unused resources on web servers. 
• The campaign uses a disposable email service - mail[.]tm.

Why this matters

• The researchers surmise that the package cluster is part of experimentation by the attacker.
• The packages contain XMRig miners, whose binaries are shipped with the packages. The binaries are modified to match the random package names.
• The automation technique used is pretty unique and CuteBoi launches the attack without registering domains and hosting a custom server.

NPM under threat

• An NPM supply chain attack, dubbed IconBurst, utilized typosquatting to compromise developers seeking popular packages. One of the malicious packages was downloaded over 17,000 times.
• An NPM package—flame-valli—claimed to allow developers to bypass any request proxies. However, the analysis revealed that the package contained a heavily obfuscated JS payload. The code attempted to disable Windows Defender settings and protection services to deploy malware.
• In May, several malicious packages were published in the NPM repository, targeting Germany-based media, industrial, and logistics companies to launch supply chain attacks.

The bottom line