22.Lock ScreenEffect

Multiple malicious packages have been identified on the npm registry this month. These packages disguise themselves as legitimate JavaScript libraries, but have been caught launching cryptominers on Linux, Windows and MacOS machines.

The malicious packages are:

  • okhsa
  • klow
  • klown

“klow, klown” have been tracked under Sonatype-2021-1472. Whereas, “okhsa” has been cataloged under Sonatype-2021-1473.

Different versions of the “okhsa” package largely contain skeleton code that launches the Calculator app on Windows machines pre-installation. But additionally, these versions contain either the “klow” or the “klown” npm package as a dependency—which is malicious.