NPM packages posing as speed testers install crypto miners instead

A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computer's resources to mine cryptocurrency for the threat actors.

The packages were uploaded onto NPM, an online repository containing over 2.2 million open-source JavaScript packages shared among software developers to speed up the coding process.

CheckPoint discovered these packages on January 17, 2023, all uploaded to NPM by a user named "trendava." Following the company's report, NPM removed them the following day.

The sixteen malicious NPM packages installing cryptocurrency miners are:

lagra speedtesta speedtestbom speedtestfast speedtestgo speedtestgod speedtestis speedtestkas speedtesto speedtestrun speedtestsolo speedtestspa speedtestwow speedtestzo trova trovam

Most packages feature a name resembling an internet speed tester, but they are all cryptocurrency miners. Although they share the same objective, CheckPoint’s analysts found that each package employs different coding and methods to accomplish its tasks.

"It is fair to assume these differences represent a trial the attacker did, not knowing in advance which version will be detected by the malicious packages’ hunter tools and therefore trying different ways with which to hide their malicious intent," comments CheckPoint.

"As part of this effort, we’ve seen the attacker hosting the malicious files on GitLab. In some cases, the malicious packages were interacting directly with the crypto pools, and in some cases, they seem to leverage executables for that need."

For example, the "speedtestspa" package downloads a helper from GitLab and uses it to connect to the cryptocurrency mining pool, whereas "speedtestkas" includes the malicious helper file in the package.

The "speedtestbom" package goes a step further by attempting to hide the cryptocurrency mining pool address, so instead of hardcoding it, it connects to an external IP to retrieve it.

The fourth example given in CheckPoint’s report is the "speedtesto" package which features code from an actual speed testing utility, offering the promised functionality to the unsuspecting user.

Software developers can minimize the chances of falling victim to those supply chain attacks by carefully reviewing the code in any packages they add to their projects.

Furthermore, it is essential only to trust reputable sources and publishers and validate the names to avoid installing malicious typosquatting packages.

Last week, researchers from Phylum disclosed that they found 451 malicious typosquatting packages on PyPi that installed password-stealing malware.