I'm confused why they think this is malware as opposed to just a miner optimized to run on Lambda. It even says, "we don't know how this gets deployed".<p>Presumably someone just deploys it so they can do mining taking advantage of Lambda's free tier.
They state that “the managed runtime environment reduces the attack surface compared to a more traditional server environment”, but is that true? Isn’t it just that the attack surface that you are responsible for is reduced? I could see all the lambda “magic” (i.e., reducing cold start times) actually adding to the runtime attack surface.
Curious to see how this would be deployed in the wild. A sneaky way would be to add this as an extension to existing Lambdas - it could run in parallel any time such a Lambda is invoked, and continue even after an initial response until the timeout for the function is reached.