Node poisoning: Hacked NPM accounts spread malware


Attackers are hijacking node package manager (NPM) accounts and using them to drop crypto-mining and credential-stealing malware onto Linux and Windows machines, according to an analysis from SophosLabs.

NPM is the package manager for the Node JavaScript platform. It puts modules in place so that nodes can find them and manages dependency conflicts intelligently. It’s easily configurable to support a variety of use cases. Among other things, it’s used to publish, discover, install, and develop node programs.

The NPM repository account associated with the popular node.js was briefly hijacked and used to distribute a malicious script, according to a report written by Sophos Senior Threat Researcher Sean Gallagher.

On Linux machines, Gallagher wrote, the script in question installed a Monero miner. On Windows systems, it also downloaded malware that attempts to steal user credential information. MacOS systems are unaffected by this attack.

Gallagher wrote:

“This attack highlights the previously-exposed hazards associated with open-source repository poisoning. There were three other NPM-based attacks in October, using fraudulent JavaScript libraries that claimed to have the same functionality as the one that was hijacked—all of which instead attempted to install miners.  But the hijacking was a much greater threat due to the large volume of downloads of the affected library (which saw over 7 million downloads in the last week). According to the developer’s web page, the module is used by companies such as Facebook, Apple, Amazon, Microsoft, Slack, IBM, HPE, Dell, Oracle, Mozilla, Shopify, and Reddit.”

The use of NPM in this fashion illustrates how popular Linux servers have become as targets. One of the main goals in these attacks is to steal processing power from the victim’s computer for cryptomining.

Adding to the attractiveness for hackers is that many Linux servers run without antivirus protection because their operators want to avoid taking a performance hit.

To address this latest attack, Sophos has deployed Linux detections for the malicious NPM package and its components. 

But Linux server administrators must remove the unauthorized miner if those post-infection components are detected. All Linux administrators with systems that use NPM packages should review the list of indicators of compromise on SophosLabs’ GitHub page to ensure they haven’t been infected by the malicious miner.

“SOC teams can also check the URLs and IP addresses in the IOCs against their firewall and DNS logs for signs of the miner and malware,” Gallagher wrote. “Administrators and SOC teams should also check for domains associated with coin mining applications in their organization’s network traffic if such activity is banned on their networks to discover rogue miners.”

Several behaviors in the NPM attack trigger generic Sophos detections on Windows, so Windows systems protected by Sophos were protected at the time of the attack. 

The miner was also proactively detected by Sophos on Windows as XMRIG Miner PUA, and the credential theft malware was detected prior to the attack as Mal/EncPk-AQC. Additional detections for the NPM scripts were released soon after the attack.

Bill Brenner

InfoSec content strategist, researcher, director, tech writer, blogger and community builder. Senior Vice President of Audience Content Strategy at CyberRisk Alliance.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.