Markets
Share this article

Hackers Plant Crypto Miners by Exploiting Flaw in Popular Server Framework Salt

Hackers have exploited a critical flaw in infrastructure management tool Salt and, in one case planted crypto mining software.

By Paddy Baker
Updated Sep 14, 2021, 8:36 a.m. Published May 4, 2020, 2:10 p.m.
(Credit: Shutterstock)
(Credit: Shutterstock)

A hacking group has installed crypto mining malware into a company server through a weakness in Salt, a popular infrastructure tool used by the likes of IBM, LinkedIn and eBay.

STORY CONTINUES BELOW
Don't miss another story.Subscribe to the Crypto Daybook Americas Newsletter today. See all newsletters
By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy.

Blogging platform Ghost said Sunday an attacker had successfully infiltrated its Salt-based server infrastructure and deployed a crypto-mining virus.

"Our investigation indicates that a critical vulnerability in our server management infrastructure ... was used in an attempt to mine cryptocurrency on our servers," reads an incident report. "The mining attempt spiked CPUs and quickly overloaded most of our systems, which alerted us to the issue immediately."

Ghost said Monday developers had removed the mining malware from its servers and added whole new firewall configurations.

See also: dForce Hacker Returns Almost All of Stolen $25M in Crypto

Salt is an open-source framework, developed by SaltStack, that manages and automates key parts of company servers. Clients, including IBM Cloud, LinkedIn, and eBay, use Salt to configure servers, relay messages from the "master server" and issue commands to a specific time schedule.

SaltStack alerted clients a few weeks ago there was a "critical vulnerability" in the latest version of Salt that allowed a "remote user to access some methods without authentication" and gave "arbitrary directory access to authenticated users."

SaltStack also released a software update fixing the flaw on April 23.

Android mobile operating system LineageOS said hackers had also accessed its core infrastructure via the same flaw, but the breach was quickly detected. In a report Sunday the company admitted it hadn't updated the Salt software.

It remains unknown whether the same group is behind the LineageOS and Ghost attacks. Some attacks have planted crypto mining software, while others have instead planted backdoors into servers.

See also: Monero Hacker Group ‘Outlaw’ Is Back and Targeting American Business: Report

It isn't clear if hackers mined a particular cryptocurrency. Hacking groups have generally favored monero XMR$452.68, as it can be mined with just general purpose CPUs, not dedicated mining chips, and can be traded with little risk of detection.

CoinDesk has approached SaltStack for comment, but hadn't heard back by press time.

hackingMining MalwareCryptojacking

More For You

KuCoin Hits Record Market Share as 2025 Volumes Outpace Crypto Market

By CoinDesk Research
Dec 22, 2025
logo
Commissioned byKuCoin
16:9 Image

KuCoin captured a record share of centralised exchange volume in 2025, with more than $1.25tn traded as its volumes grew faster than the wider crypto market.

What to know:

  • KuCoin recorded over $1.25 trillion in total trading volume in 2025, equivalent to an average of roughly $114 billion per month, marking its strongest year on record.
  • This performance translated into an all-time high share of centralised exchange volume, as KuCoin’s activity expanded faster than aggregate CEX volumes, which slowed during periods of lower market volatility.
  • Spot and derivatives volumes were evenly split, each exceeding $500 billion for the year, signalling broad-based usage rather than reliance on a single product line.
  • Altcoins accounted for the majority of trading activity, reinforcing KuCoin’s role as a primary liquidity venue beyond BTC and ETH at a time when majors saw more muted turnover.
  • Even as overall crypto volumes softened mid-year, KuCoin maintained elevated baseline activity, indicating structurally higher user engagement rather than short-lived volume spikes.
View Full Report

More For You

Gold tops $5,000 as bitcoin stalls near $87,000 in widening macro-crypto split: Asia Morning Briefing

By Sam Reynolds|Edited by Aoyon Ashraf
1 hour ago
Stacked gold bars (Scottsdale Mint/Unsplash/Modified by CoinDesk)

Bitcoin’s onchain data points to supply overhang and weak participation, while gold’s breakout is priced by markets as a durable macro regime shift.

What to know:

  • Gold’s surge above $5,000 an ounce is increasingly seen as a durable regime shift, with investors treating the metal as a persistent hedge against geopolitical risk, central bank demand and a weaker dollar.
  • Bitcoin is stuck near $87,000 in a low-conviction market, as on-chain data show older holders selling into rallies, newer buyers absorbing losses and a heavy supply overhang capping moves toward $100,000.
  • Derivatives and prediction markets point to continued consolidation in bitcoin and sustained strength in gold, with thin futures volumes, subdued leverage and weak demand for higher-beta crypto assets like ether reinforcing the cautious tone.
Read full story