Attackers are hijacking node package manager (NPM) accounts and using them to drop crypto-mining and credential-stealing malware onto Linux and Windows machines, according to an analysis from SophosLabs.
The NPM repository account associated with the popular node.js was briefly hijacked and used to distribute a malicious script, according to a report written by Sophos Senior Threat Researcher Sean Gallagher.
On Linux machines, Gallagher wrote, the script in question installed a Monero miner. On Windows systems, it also downloaded malware that attempts to steal user credential information. MacOS systems are unaffected by this attack.
The use of NPM in this fashion illustrates how popular Linux servers have become as targets. One of the main goals in these attacks is to steal processing power from the victim’s computer for cryptomining.
Adding to the attractiveness for hackers is that many Linux servers run without antivirus protection because their operators want to avoid taking a performance hit.
To address this latest attack, Sophos has deployed Linux detections for the malicious NPM package and its components.
But Linux server administrators must remove the unauthorized miner if those post-infection components are detected. All Linux administrators with systems that use NPM packages should review the list of indicators of compromise on SophosLabs’ GitHub page to ensure they haven’t been infected by the malicious miner.
“SOC teams can also check the URLs and IP addresses in the IOCs against their firewall and DNS logs for signs of the miner and malware,” Gallagher wrote. “Administrators and SOC teams should also check for domains associated with coin mining applications in their organization’s network traffic if such activity is banned on their networks to discover rogue miners.”
Several behaviors in the NPM attack trigger generic Sophos detections on Windows, so Windows systems protected by Sophos were protected at the time of the attack.
The miner was also proactively detected by Sophos on Windows as XMRIG Miner PUA, and the credential theft malware was detected prior to the attack as Mal/EncPk-AQC. Additional detections for the NPM scripts were released soon after the attack.