The Hidden Threat in Open Source: Cryptocurrency Miners Masquerading as Compilers


Published on Sep 1, 2023   —   4 min read

In a recent revelation, the Phylum Research Team uncovered a malicious NPM package that poses as a utility library for the GNU Compiler Collection (GCC). Named gcc-patch, this package is far from a benign compiler; it's a cryptocurrency miner in disguise. This blog post aims to dissect the technical intricacies of this supply chain attack and offer preventive measures to safeguard your development environment.

The Deception Unveiled

The gcc-patch package claims to be a custom GCC compiler for various projects. However, upon closer inspection, it's evident that the package serves a more nefarious purpose. It houses an ELF binary named gcc, which, when executed, activates a concealed cryptocurrency miner. This miner taps into the computational resources of the host machine, essentially turning it into a cog in a larger mining operation.

Technical Insights

In the realm of cybersecurity, the gcc-patch NPM package serves as a textbook example of a supply chain attack with a twist. While posing as a utility library for the GNU Compiler Collection (GCC), the package is actually a cryptocurrency miner in disguise. It contains an ELF binary named gcc, which is not a compiler but a concealed miner that taps into the host machine's computational resources.

The package's index.js script plays a pivotal role in this deceptive operation. It contains a function named build, which is exported for external use. When invoked, this function grants executable permissions to the binary using the chmod a+x command and then runs it, thereby activating the hidden miner. Adding to the suspicion, the package's author, identified as "lolfhd22," remains anonymous, offering no verifiable details. This multi-layered deception is a stark reminder of the need for heightened vigilance in the open-source ecosystem.

  1. The Binary: The package contains an ELF binary named gcc. While one would expect this to be a compiler, it is actually a cryptocurrency miner.
  2. Execution Script: The package's index.js script is designed to run the binary. It grants executable permissions using chmod a+x and then runs it.
  3. Author Anonymity: The package's author, "lolfhd22," offers no verifiable details, adding another layer of suspicion.

A Deep Dive into the Code

The index.js script within the gcc-patch package serves as the linchpin for this supply chain attack. It's a masterclass in deceptive coding, designed to exploit the trust developers place in third-party packages. Let's dissect its key components to understand how it operates.

The build Function: A Wolf in Sheep's Clothing

The script exports a function named build, which is ostensibly designed to compile code. In reality, this function is a smokescreen. When invoked, it executes a pre-compiled ELF binary named gcc. This binary, however, is not a compiler but a cryptocurrency miner that leeches computational resources from the host machine.

Here's a simplified version of what the build function looks like:

function build(...args) {
  const { execSync } = require('child_process');
  const output = execSync('chmod a+x ./node_modules/gcc-patch/gcc && ./node_modules/gcc-patch/gcc', { encoding: 'utf-8' });
module.exports = build;

The chmod a+x Command: Granting Unwarranted Permissions

The chmod a+x command grants executable permissions to the faux gcc binary. This is a classic technique used in various types of malware to enable the execution of malicious code. Once the permissions are set, the binary is executed, activating the hidden cryptocurrency miner.

Pulling External Scripts: The GitHub Connection

The script also has the capability to pull additional malicious code from GitHub. This is particularly concerning because it allows the attacker to update the miner or even replace it with different malware without having to update the package itself. This makes the attack more dynamic and harder to defend against.

Absence of Compiler Functionalities

Notably, the binary lacks the functionalities one would expect from a genuine GCC compiler. This could be either an oversight on the attacker's part or a deliberate move to avoid detection. Either way, it's a red flag that can help in identifying the package as malicious.

Security Implications

The deceptive index.js script highlights the risks associated with blindly trusting third-party code. It serves as a cautionary tale, emphasizing the need for rigorous code reviews and vetting processes when incorporating external packages into your development projects.

By understanding the intricacies of how this malicious code operates, developers and cybersecurity professionals can better arm themselves against similar threats in the future.

Cryptographic Functions

The binary exports numerous cryptographic functions, such as randomx_release_cache and sph_whirlpool_close, which are linked with mining algorithms like RandomX. These functions, along with various strings closely associated with the XMR miner, provide strong evidence that this binary is not a compiler.

The Implications

This package serves as a grim reminder of the hidden dangers present in the open-source ecosystem. By impersonating a benign GCC compiler, it seeks to exploit the trust and resources of software developers.

Preventive Measures

  1. Vigilance: Always scrutinize the packages you're about to install, especially if they're from unknown or unverified sources.
  2. Code Review: Conduct a thorough code review of third-party packages before integrating them into your projects.
  3. Use Trusted Repositories: Stick to well-known and trusted repositories for your package needs.


The discovery of the gcc-patch NPM package serves as a wake-up call for the developer community. This malicious package, masquerading as a benign GCC compiler, underscores the vulnerabilities inherent in the open-source ecosystem. It exploits the trust and computational resources of developers, turning their machines into unwitting participants in a cryptocurrency mining operation.

Lessons Learned and Next Steps

  1. Code Review: This incident emphasizes the critical importance of conducting rigorous code reviews when incorporating third-party packages. A simple review could unveil suspicious functionalities, such as the absence of expected compiler features in a package claiming to be a GCC compiler.
  2. Author Verification: The anonymity of the package's author, "lolfhd22," serves as another red flag. Developers should be cautious when dealing with packages from unverified or anonymous sources.
  3. Dynamic Threat Landscape: The ability of the malicious script to pull additional code from external sources like GitHub indicates that threats can evolve dynamically. This makes it imperative to not just vet packages at the time of inclusion but to also monitor them continuously for changes.
  4. Community Vigilance: The cybersecurity community must work collectively to identify and neutralize such threats. Sharing information and best practices can go a long way in fortifying the open-source ecosystem.

Final Thoughts

As we navigate the complex landscape of open-source software and third-party dependencies, let this incident serve as a reminder of the need for heightened vigilance. The gcc-patch package is not an isolated case but a symptom of a larger issue that requires immediate attention and action from both developers and cybersecurity professionals.

For more in-depth analysis on cybersecurity and emerging technology, stay tuned to The Final Hop.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.