NPM packages posing as speed testers install crypto miners instead

A new set of 16 malicious NPM packages are pretending to be internet speed testers but are, in reality, coinminers that hijack the compromised computer’s resources to mine cryptocurrency for the threat actors.

The packages were uploaded onto NPM, an online repository containing over 2.2 million open-source JavaScript packages shared among software developers to speed up the coding process.

CheckPoint discovered these packages on January 17, 2023, all uploaded to NPM by a user named “trendava.” Following the company’s report, NPM removed them the following day.

The sixteen malicious NPM packages installing cryptocurrency miners are:

• lagra
• speedtesta
• speedtestbom
• speedtestfast
• speedtestgo
• speedtestgod
• speedtestis
• speedtestkas
• speedtesto
• speedtestrun
• speedtestsolo
• speedtestspa
• speedtestwow
• speedtestzo
• trova
• trovam

Most packages feature a name resembling an internet speed tester, but they are all cryptocurrency miners. Although they share the same objective, CheckPoint’s analysts found that each package employs different coding and methods to accomplish its tasks.