Recently discovered NPM malware poses as a legitimate Javascript library but launches cryptocurrency miners in Windows, macOS, & Linux machines.

Continue reading
**Security Research Team** at Sonatype observed packages from the npm registry and noticed some suspicious behavior in them. These packages posed as JavaScript libraries but were mining cryptocurrency on the backend in Windows, macOS, and Linux machines.
Sonatype security research team reported the malicious packages to npm on Oct 15th, 2021, and the npm security team took down the packages on the same day.
All the following packages were published by the same author, whose account is taken down now.

Oksha package contains a script that launches a calculator app on the machine, these versions of Oksha have either klow or klown package as their dependency.

_Manifest file for Oksha shows Klown as a dependency_
Just after hours, klow was removed by npm; researchers noticed klown had emerged. This package poses a legitimate JavaScript library - `UA-Parser-js` that helps programmers extract hardware specifics from the HTTP header. Looking closely, experts discovered that packages klow and klown contain cryptocurrency miners.

_Javascript library - UAParser.js_
The packages detect the machine's operating system and proceed to run a `.bat` or .`sh` script depending on its type. These scripts contain specific arguments regarding the wallet to mine cryptocurrency for and the number of CPU threads. The scripts download an externally hosted EXE, a well-known crypto miner flagged by **VirusTotal**.

Test run of cryptomining EXE <br>
_"It isn’t clear how the author of these packages aims to target developers. There are no obvious signs observed that indicate a case of typosquatting or dependency hijacking. *Klow(n)* does impersonate the legitimate UAParser.js library on the surface, making this attack seem like a weak brandjacking attempt,"_ added the researchers.

Backdoor.Daxin, the kernel-mode rootkit Symantec once called the most advanced tool ever tied to a China-linked espionage actor, has been found running again