Threat Watch

Crypto-Miner Found Hidden Inside Three npm Libraries

DevOps security firm Sonatype has uncovered crypto-mining malware hidden inside three JavaScript libraries uploaded on the official npm package repository. The three files, disguised as user-agent string parsers, would detect the user’s operating system and then run a BAT or Shell script, based on the victim’s platform. “These scripts then download an externally-hosted EXE or a Linux ELF, and execute the binary with arguments specifying the mining pool to use, the wallet to mine cryptocurrency for, and the number of CPU threads to utilize,” said Sonatype security researcher Ali ElShakankiry, who discovered the campaign. The names of the three npm packages were: klow, klown, okhsa. The number of malicious packages uploaded on the npm repository has been rising, but companies like Snyk and Sonatype are constantly monitoring new uploads and package updates for malicious code.


Software from a trusted repository can be compromised, so companies should keep track of which npm packages they use and subscribe to a service that monitors for malicious code in packages to receive an alert quickly if one of the packages the company uses has been compromised.