Threat actors behind the campaign published 1,283 malicious modules in the repository and used over 1,000 different user accounts. The researchers uncovered the supply chain attack after notocing a burst of suspicious NPM users and packages automatically created.
“Checkmarx SCS team detected over 1200 npm packages released to the registry by over a thousand different user accounts. This was done using automation which includes the ability to pass NPM 2FA challenge. This cluster of packages seems to be a part of an attacker experimenting at this point.” reads the post published by Checkmarx. “We dubbed this new actor “CuteBoi” as a tribute to the “cute” username hardcoded in many of the packages’ configuration files and to one of the non-random NPM usernames the Attacker is using, “cloudyboi12”
The rogue packages contain a duplicate of the code of the eazyminer package, a JS wrapper around the XMRig mining software. The wrapper was designed to utilize unused resources of systems such as ci/cd and web servers.
The researchers pointed out that installing the malicious packages will have no negative effect on the machine. The miner functionality can be triggered from within another program and doesn’t work as a standalone tool, this means that it won’t run upon installation.
CuteBoi relies on a disposable email service called mail.tm to automate the creation of the users that uploads the packages to the NPM repository.
mail.tm provides REST API to allow to open disposable mailboxes and read the received emails sent to them with a simple API call. In this, operators behind the CuteBoi campaign can bypass NPM 2FA challenge when creating a user account.
“CuteBoi is the second attack group seen this year using automation to launch large-scale attacks on NPM. We expect we will continue to see more of these attacks as the barrier to launce them is getting lower.” concludes the experts.
Recently security experts spotted another large-scale supply chain attack, tracked as IconBurst, which aimed at stealing sensitive data from forms embedded in downstream mobile applications and websites.