Attacker Floods npm With Crypto-Mining Packages that Mine Monero When Installed with Default Configuration
Monero (XMR) is an open-source, privacy-oriented cryptocurrency that was launched in 2014. It uses a public distributed ledger containing technology that obscures transaction details to ensure the anonymity of its users. Monero maintains egalitarian mining, allowing anyone to participate. As tempting as it may seem, some go a step further and use the infrastructure of others to participate in mining.
Cryptocurrency mining was originally performed using CPUs, and Monero was no different. Over the years, mining capabilities have expanded to take advantage of the power of GPUs. Although for some cryptocurrencies both techniques have become obsolete, they are still widely used for mining XMR.
The attacker crouched in the shadows
It all started with a Reddit post, where u/TackleSouth6005 shared a tutorial on how to create a server-side Node.js Monero miner:
Figure 1 – Reddit post published on r/MoneroMining, accessed 30/06/2022
Inspired by the post, the attacker published the eazyminer-fsdjufhsdjf package, which shared code with eazyminer package–and which took the Mend research team only 34 seconds to spot.
Figure 2 – npm registry page of both packages
It’s worth noting that not only did the attacker steal the package name, but also the XMR address of the Reddit user used in the configuration files. The first malicious package in this attack was published on May 24, 2022 and shared the content of the original package.
En masse attacks
The attacker then stepped up efforts with an en masse attack that commenced on June 27, 2022, as hundreds of packages with the same behavior were uploaded. Over the course of the next few days, we spotted more attacks. With each attack, the time interval between successive publications of the packages decreased.
The packages were first released every five to six minutes, and the attack interval then shrunk to every minute. They initially came from a single account, and the attacker then expanded to use multiple accounts from the same domain. Once reported by Mend Research and blocked by npm, the attacker started using the “account per package” approach from another domain.
Figure 3 – Maciej’s tweet
At the time of writing this article, there are 601 npm packages sharing the same functionality:
Figure 4 – List of malicious packages accessed 30/06/2022
The attack vector
Although the eazyminer package provides clear install instructions, it is worth pointing out that we do not recommend installing it, and here’s why:
Figure 5 – Install instructions from the eazyminer package
Every time you require the miner, it executes the following code:
// Step 1 - server/src/index.js
const App = require('./app');
module.exports = App;
// Step 2 - server/src/app.js
module.exports = class App {
// ...
start() {
if (!this._initialized) {
this._init();
}
this._controller.start();
}
_init() {
// ...
this.controller.loadMiner('xmrig');
}
}
// Step 3 - server/src/miners.controller.js
module.exports = class Controller {
// ...
loadMiner(name) {
const Miner = require(`./miners/${name}/${name}.miner.js`);
const miner = new Miner(this._app);
this._miners.push(miner);
}
}
// Step 4 - server/src/miners/xmrig/xmrig.miner.js
module.exports = class XMRIGMiner {
// ...
_updateConfig() {
const configBasePath = path.join(__dirname, './config.base.json');
const configBase = JSON.parse(fs.readFileSync(configBasePath));
// merge given pools config with base configs
const pools = this._app.config.pools.map(poolConfig => Object.assign({}, configBase.pools[0], poolConfig))
}
}
If we take a closer look at what happens at the config-merging stage, we can see that if no config exists, the code uses the one provided in the config.base.json file.
// excerpt from config.base.json
{
"pools": [
{
"algo": null,
"coin": "xmr",
"url": "xmrpool.eu:9999",
"user": "47D8WQoJKydhTk[CENSORED]"
}
]
}
Each published package is relying on pool mining. Pool mining gives the miner frequent payouts. The amount of XMR (Monero tokens) they receive is correlated with their participation in the pool. Although the package theoretically allows miners to use both GPUs and CPUs, the attacker’s method primarily relies on CPUs.
The victims
Most of these malicious packages use unique names such as wbkvsaipmgythxkz, nwavbdqkkelfruoz, kqdxlgaurwyzbsjk, or puqjgilbnreysztf. One might ask, what are the chances of a successful typosquatting attack using names like these? Well, the attacker’s modus operandi seems different.
Systems that were targeted in this attack are security scanners and other automated systems. They install the packages and analyze their content. If they do not provide an initial configuration, the package is going to use the one provided in the config.base.json file, with the hard-coded XMR address. By doing so, the package will use the default XMR address and mine on behalf of the user from the config.
How to protect your organization
Supply chain attacks evolve and grow more frequent each day. The easiest way to protect this attack surface is to use an automated supply chain security solution such as Mend Supply Chain Defender that informs you when you import a malicious package from open source registries.
Mend enterprise customers using JFrog Artifactory as a private repository manager can prevent malicious open source software from entering their code base using the Mend Supply Chain Defender Integration with JFrog Artifactory.
Learn how Mend Supply Chain Defender blocks software supply chain attacks.
