Developer's AWS EC2 Instance Hijacked for Cryptomining via Malicious npm Package
A developer received an AWS Trust & Safety abuse report after their personal EC2 instance was found scanning other hosts on the internet. Investigation revealed that a fake npm package named 'child_process' — which mimics a built-in Node.js module — had been listed as a dependency in the project's package.json. The package's postinstall script silently fetched and deployed XMRig, a Monero cryptominer, along with a network scanner running as root. The malware had been re-executing on every container rebuild due to a bind-mounted host directory and wide-open outbound network rules. The issue was resolved by removing the malicious dependency, wiping node_modules, and rebuilding the container from scratch.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in