Three malicious packages klow, klown and okhsa were detected in the NPM repository, which, hiding behind the functionality for parsing the User-Agent header (a copy of the UA-Parser-js library was used), contained malicious changes used to organize cryptocurrency mining on the user's system. The packages were posted by a single user on October 15th, but were immediately identified by outside researchers who reported the issue to the NPM administration. As a result, the packages were removed within a day of publication, but managed to rack up about 150 downloads.
Directly malicious code was contained only in the "klow" and "klown" packages, which were used as dependencies in the okhsa package. The okhsa package also had a stub to run the calculator on Windows. Depending on the current platform, an executable file for mining was downloaded and launched on the user's system from an external host. Miner builds have been prepared for Linux, macOS and Windows. At launch, the number of the pool for joint mining, the number of the crypto wallet and the number of CPU cores for performing calculations were transmitted.
Source: opennet.ru