Researchers at security vendor Sonatype say they have found 186 malicious packages in the npm Javascript library registry, which infect Linux hosts with crypto currency mining applications.
Sonatype said many of the packages, published by the same pseudonymous npm account, typo-squat to trick users of well-known software like React, using names like r2act.
The malicious packages download a malicious Bash shell script to fetch the Monero crypto mining code from the threat actor's server, Sonatype said.
Sonatype noted that another researcher, Hauke Lübbers, had spotted 55 malicious packages from the Python language PyPI registry also tried to download similar cryptomining scripts from the same server as above.
"Uff, the actor has uploaded 22 more packages since all others had been removed 35 minutes ago. That's one way for me to stay up to date on the latest hip python libraries i guess...", Lübbers said.
Uff, the actor has uploaded 22 more packages since all others had been removed 35 minutes ago. That's one way for me to stay up to date on the latest hip python libraries i guess...
— Hauke Lübbers (@streamlin3d) August 17, 2022
Earlier on, code vulnerability research firm Snyk spotted 12 malicious PyPi packages from the same author aimed at compromising Windows hosts.
The packages, with names like "hackerfilelol", would attempt to download malicious files from the chat app Discord's content delivery network, the researchers said.
On execution, the malware would attempt to exfiltrate Google Chrome passwords, cookies, history and other data, as well as stealing Discord tokens and injecting a persistent malicious agent in the chat app process.
The malware would also attempt to steal Roblox cookies and payments data, the Snyk researchers said.
_page-0001.jpg&w=100&c=1&s=0)
.png&w=120&c=1&s=0)
Security Exhibition & Conference 2025
Integrate Expo 2025
Digital As Usual Cybersecurity Roadshow: Brisbane edition
iTnews Benchmark Security Awards 2025
.jpg&h=140&w=231&c=1&s=0)
.jpg&h=140&w=231&c=1&s=0)
