Brief description of the event
Recently, checkmarx researchers disclosed an NPM software supply chain attack involving numerous packages.
The incident can be traced back as early as December 2021. The attackers dropped more than 1,200 malicious NPMs containing obfuscated encryption. These contained the same mining script eazyminer. The purpose of this script is to use the machines on servers such as Database and Web to idle. Mining resources.
Attack event analysis
Attack method
CuteBoi mainly relies on the one-time email service provided by mail.tm and the free mail acquisition API, through which attackers can bypass two-factor authentication (2FA) when publishing packages and create a large number of user accounts.
( Image courtesy of checkmarx.com )
All published malicious packages use the source code of eazyminer, which exploits unused resources on web servers to mine Monero coins.
(eazyminer calling code snippet in malicious package)
The package contains executable files ronbhdcvpqkxwget and ronbhdcvpqkxwget.exe for Linux and Windows respectively.
(mining program in the directory)
Called after judging the operating system environment information.
(judging environmental information)
attack impact
If the developer installs these packages, Monero coins will be mined when called. Since the author of eazyminer sets the CPU priority (eazyminer) to 0 in the source code, the mining process will not preempt the existing resources of other processes and is not easily detected. The developer believed that the server was running normally when checking, but the mining package is likely to be secretly executed in the background.
(A statement from the original author of eazyminer)
This week, the OSCS community has detected at least 3 poisoned mining incidents, and developers are advised to pay attention in time.
Reference link
-
Checkmarx researchers have published a list of malicious packages, where the malicious packages are stored:
understand more
OSCS (Open Source Software Supply Chain Security Community) will release the latest security risk trends of open source projects as soon as possible, including open source package security vulnerabilities, poisoning intelligence and other information. Community users can subscribe through Qiwei, DingTalk, Feishu, etc. .
For details on how to subscribe, see:
