TH15107
Detected presence of files with behaviors that match the coinminer malware profile.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | fail | high | high | 1 | tampering: fail Reason: malware-like behaviors found |
About the issueโ
Software components contain executable code that performs actions implemented during its development. These actions are called behaviors. In the analysis report, behaviors are presented as human-readable descriptions that best match the underlying code intent. While most behaviors are benign, some are exclusively used by malicious software with the intent to cause harm. When a software package matches behavior traits of malicious software, it becomes flagged by security solutions. It is highly likely that the software package was tampered with by a malicious actor or a rogue insider. Detected threat type matches the behaviors typically exhibited by the coinminer malware profile. Coinminers are commonly used by financially motivated attackers to abuse available hardware resources of exposed computer systems for unauthorized cryptocurrency mining.
How to resolve the issueโ
- Investigate reported detections.
- Investigate your build and release environment for software supply chain compromise.
- You should delay the software release until the investigation is completed.
- In the case this behavior is intended, rewrite the flagged code without using the malware-like behaviors.
Recommended readingโ
- Coinminer (External resource - Norton)
- Coinminer and npm: What you see is not always what you get (ReversingLabs blog)