Researchers discovered six rogue packages in the official Python programming language’s PyPI repository containg cryptocurrency mining malware.
Experts from security firm Sonatype have uncovered six typosquatting packages in the official Python programming language’s PyPI repository that were laced with cryptomining malware.
The Python Package Index (PyPI) is a repository of software for the Python programming language, it allows users to easily find and install software developed and shared the community contributors.
The hackers used typo-squatted names for the malicious packages that were downloaded more than 5000 times. All the packages were posted on PyPI by the author “nedog123,” some as early as April of this year.
Below the fake PyPI packages and the related number of downloads:
- maratlib: 2,371
- maratlib1: 379
- matplatlib-plus: 913
- mllearnlib: 305
- mplatlib: 318
- learninglib: 626
The tools were discovered by Sonatype’s automated malware detection system, Release Integrity, which is part of the company next-gen Nexus Intelligence engine.
“For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation.” reads the analysis published by Sonatype.
The packages contained malicious code in the setup.py files to install cryptomining malware onto every system running software or services that leverage the rogue packages.
The code essentially downloads and runs a Bash script from GitHub:
At the time of this writing the URL serving the bash script (hxxps://github.com/nedog123/files/raw/main/aza[.]sh) throws a 404 error.
The Bash script was hosted on GitHub under different names such as seo.sh, aza.sh, aza2.sh, or aza-obf.sh.
“Once again, this particular discovery is a further indication that developers are the new target for adversaries over the software they write. Sonatype has been tracing novel brandjacking, cryptomining, and typosquatting malware lurking in software repositories. We’ve also found critical vulnerabilities and next-gen supply-chain attacks, as well as copycat packages targeting well-known tech companies.” concludes the report.
“These PyPI packages have been lurking on the repository for months, targeting developer systems with the goal of turning them into cryptominers.”
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Pypi)
Share On
Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at “Cyber Defense Magazine”, Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog “Security Affairs” recently named a Top National Security Resource for US. Pierluigi is a member of the “The Hacker News” team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books “The Deep Dark Web” and “Digital Virtual Currency and Bitcoin”.
Researchers discovered six rogue packages in the official Python programming language’s PyPI repository containg cryptocurrency mining malware.
Experts from security firm Sonatype have uncovered six typosquatting packages in the official Python programming language’s PyPI repository that were laced with cryptomining malware.
The Python Package Index (PyPI) is a repository of software for the Python programming language, it allows users to easily find and install software developed and shared the community contributors.
The hackers used typo-squatted names for the malicious packages that were downloaded more than 5000 times. All the packages were posted on PyPI by the author “nedog123,” some as early as April of this year.
Below the fake PyPI packages and the related number of downloads:
- maratlib: 2,371
- maratlib1: 379
- matplatlib-plus: 913
- mllearnlib: 305
- mplatlib: 318
- learninglib: 626
The tools were discovered by Sonatype’s automated malware detection system, Release Integrity, which is part of the company next-gen Nexus Intelligence engine.
“For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation.” reads the analysis published by Sonatype.
The packages contained malicious code in the setup.py files to install cryptomining malware onto every system running software or services that leverage the rogue packages.
The code essentially downloads and runs a Bash script from GitHub:
At the time of this writing the URL serving the bash script (hxxps://github.com/nedog123/files/raw/main/aza[.]sh) throws a 404 error.
The Bash script was hosted on GitHub under different names such as seo.sh, aza.sh, aza2.sh, or aza-obf.sh.
“Once again, this particular discovery is a further indication that developers are the new target for adversaries over the software they write. Sonatype has been tracing novel brandjacking, cryptomining, and typosquatting malware lurking in software repositories. We’ve also found critical vulnerabilities and next-gen supply-chain attacks, as well as copycat packages targeting well-known tech companies.” concludes the report.
“These PyPI packages have been lurking on the repository for months, targeting developer systems with the goal of turning them into cryptominers.”
Follow me on Twitter: @securityaffairs and Facebook
(SecurityAffairs – hacking, Pypi)