Some unofficial repositories for Kodi open-source media player serve a modified add-on that leads to downloading cryptomining malware on Windows and Linux platforms.
Security researchers discovered a campaign that infects machines running Kodi via a legitimate add-on that has been altered by cybercriminals looking to mine the Monero cryptocurrency with the resources of Kodi users.
The operation appears to have started in December 2017 through 'script.module.simplejson' add-on hosted by the now-defunct Bubbles repository. As Bubbles disappeared, Gaia repository started to distribute the malicious add-on.