How Hackers are Using Package Managers as Vectors for Deploying Coinminer Malware

Popping up in this week’s news was a case of three malicious PyPI (Python Package Index) packages that were found to be capable of deploying a cryptocurrency miner that targets Linux devices.

Coinminer malware is the scourge of modern computing environments, exploiting system resources and potentially compromising the security and efficiency of both individual devices and larger networks.

The packages, identified as modularseven, driftme, and catme, were published approximately four weeks ago and downloaded 431 times before PyPI took them down.

Fortinet’s analysis details a multi-phase attack, beginning with the driftme package’s import statement that conceals their payload.

The attack downloads and runs a CoinMiner executable in stages. Malicious code is decoded and retrieved, then a shell script fetches the configuration file from a remote URL. It downloads the coinminer executable from GitLab, and keeps the coinminer running in the background to mine cryptocurrency for the attacker.

The attack bears similarities to the “culturestreak” Python package detected by Checkmarx researchers in September 2023, which hijacked system resources for cryptocurrency mining, used obfuscated code to evade detection, and originated from a GitLab repository.

Socket flagged the modularseven, driftme, and catme packages as malware in early December when they were published. If a Socket user were unfortunate enough to come in contact with any of these packages, they would have been warned about an AI-detected supply chain security risk:

The code is suspicious and likely malicious as it appears to download and execute a remote script without user consent or knowledge. This behavior is characteristic of a remote code execution or a malware download attempt.

The warning for the driftme package:

The code is obfuscated and likely malicious, as it decodes an obfuscated string to execute a shell command that fetches and runs a script from a remote server without any user consent or validation, presenting a high security risk.

While the risk in this incident affects a minutely small number of users, it highlights a growing trend of increasingly sophisticated multi-phase attacks for deploying coinminers using package managers. These types of attacks will not always present themselves in such a readily identifiable manner as these three most recent packages, which were brand new and not linked to any popular projects.

The Perils of Overconfidence in Trusted Sources

There are times when you won’t know if a legitimate package has been hijacked, which is why you need security tools in place to detect malicious package updates in real-time.

In 2021, ua-parser-js a widely-used package with more than 7 million weekly downloads, was hijacked when the project owner’s npm account was hacked. The package was updated to install a Monero miner on Windows and Linux systems, and deploy malware that attempted to harvest user credential information.

Packages Masquerading as Legitimate Tools

In some instances, an attacker may create a package with a coinminer that poses as a different type of package. For example, in January 2023, a set of 16 packages were published to npm, masquerading as speed testers, but were actually deploying coinminers. These attackers were also hosting malicious files on GitLab as part of the payload.

In 2021, three packages named okhsa, klow, and klown were published to npm, claiming to be JavaScript-based user-agent string parsers designed to extract hardware specifics from the "User-Agent" HTTP header. Instead, the attacker hid cryptocurrency mining malware inside the libraries.

These are just a few examples of how dangerous it can be to not only grab packages from unverified and suspicious sources but also to blindly trust reputable package sources. If you’re not carefully reviewing the code in every package you update or add to your projects, then you need to have tools in place that will do it for you.

Socket’s content-based AI analysis detects malicious code and risky behavior in your dependencies, and flags them as threats before they have the chance to compromise your supply chain. Install the Socket for GitHub app for free today to start protecting your repositories.

Hackers continue to modify and improve their efforts to hide cryptomining malware in public package registries, and these types of attacks are likely to continue in 2024.