OnlyKey app memory usage Linux Buster

A few days ago I noticed my Linux Debian CPU was pegging, with one of my cores at 100% usage. When I looked at the processes running on my laptop, this one below was the responsible job. (I have added some line breaks to make it more readable):

/proc/self/exe
–type=renderer
–no-sandbox
–file-url-path-alias=/gen=/opt/OnlyKey/gen
–no-zygote
–field-trial-handle=15862159829197978252,11898307318573346910,131072
–lang=en-US
–enable-crash-reporter=,
–user-data-dir=/home/howard/.config/OnlyKey
–nwapp-path=/opt/OnlyKey
–nwjs
–extension-process
–num-raster-threads=1
–renderer-client-id=5
–shared-files

After killing this job, my CPU usage returned to normal.

I’m still not sure of many things, but now better understand a little more about /proc/self, so the next time I can do a more complete investigation before killing it.

Later I decided to try to find out what this job is, and where it came from. So first I did web searches for some of it’s properties above, and found these related web page:

https://support.google.com/chrome/thread/24386432?hl=en

https://codereview.chromium.org/2384163002

So it appears that it might be malware either having something to do with OnlyKey, and also possibly mining for bitcoin on my system.

Also from the links above it seems to have been started by Chrome or Chromium from probably what they call Puppeteer, possibly abusing this tool. It looks like it was a headless chrome. Could have been doing almost anything that a browser can do, including running javascript.

I’m still baffled as to what it’s got to do with OnlyKey. Anyone got any ideas?

The OnlyKey app is built with NWJS - https://nwjs.io/

As with Electron and NWJS based apps they use Chromium to create cross-platform applications. I am not sure why your core was at 100% usage but this is not related to malware in the app, you can review the app source here which is in javascript - https://github.com/trustcrypto/OnlyKey-App

1 Like