Cryptominer, Credentials Thief Distributed Through JavaScript Package Manager




The NPM repository account linked to a popular node.js was hacked for some time on Friday and used to distribute malicious script, according to security firm Sophos.

NPM is a package manager for the JavaScript programming language. In a blog postSean Gallagher, Senior Threat Researcher at Sophos, said the script in question installed a monero miner on Linux systems while on Windows systems malware that collected credentials had been removed.

The account used was that of the developer of a package known as UAParser.js, a library used by web applications to detect information about browser types and operating systems.

“The attacker used this access to modify the library’s deployment package, adding instructions to run a new script named preinstall.js,” Gallagher wrote.

“Preinstall.bat and have also been added to the package, Windows and Linux scripts to be executed by the node.js package.

“The hijacker then pushed the changes in the form of three new versions: 0.7.29, 0.8.0 and 1.0.0.”

After a few hours, the developer in question noticed that something was wrong and released clean versions of the library.

Interestingly, the script that was deleted on Linux systems checked the country code and did not run if the returned code was for Russia, Ukraine, Kazakhstan, or Belarus.

The script downloaded a file from a server in Latvia that included the miner.

“The repeated attempts to use NPM to distribute miners on Linux systems over the past month are further proof that Linux servers continue to be a very attractive target for cybercriminals – and steal processing power for the cryptomining is an easy way to monetize criminal access to these. systems, ”Gallagher concluded.

“Many Linux servers run without any virus protection installed because their operators want to avoid suffering an impact on performance, but that makes detecting and mitigating attacks like these more complex – and mining monero. for someone else is not exactly optimizing server performance. “

Subscribe to the ITWIRE UPDATE newsletter here


It’s all about webinars.

Marketing budgets are now focused on webinars combined with lead generation.

If you want to promote a webinar, we recommend at least one campaign 3-4 weeks before your event.

The iTWire campaign will include extensive advertisements on our news site and significant promotion in the newsletter and promotional and editorial news. Plus a video interview of the keynote speaker on iTWire TV which will be used in promotional messages on the iTWire homepage.

Now that we are coming out of Lockdown, iTWire will focus on helping your webinars and campaigns and supporting through partial payments and extended durations, a Webinar Business Booster pack and other support programs. We can also create your advertisements and written content and coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click on the button below.



iTWire TV offers unique value to the tech industry by providing a range of video interviews, news, views and reviews, and also provides the ability for vendors to promote your business and marketing messages.

We work with you to develop the message and conduct the product interview or review in a safe and collaborative manner. Unlike other YouTube Tech channels, we create a story around your post and post it on the ITWire homepage, linked to your post.

Additionally, your interview post can be displayed in up to 7 different post views on our site to drive traffic and readers to your video content and downloads. This can be a significant lead generation opportunity for your business.

We also provide 3 videos in one recording / session if you need them so that you have a series of videos to promote to your clients. Your sales team can add your emails to the sales materials and footer of their sales and marketing emails.

Get the latest tech news, views, interviews, reviews, product promotions and events. Plus fun videos from our readers and customers.




Comments are closed.