A security researcher working for Sonatype has identified six malicious packages in the PyPI repository that can secretly run crypto miners on your machines. Ax Sharma, who initially discovered these packages found that they have been downloaded by about 5,000 people combined.
Infiltrating commonly used code repositories with such malicious packages isn’t anything new, and this isn’t the first time PyPI has been abused either. In 2016, a college student tricked about 17,000 coders into running a malicious script he posted on the repository.
Similar repos like NPM and Rubygems have also been abused with such so-called ‘typosquatting’ attacks. In such cases, the attacker duplicates a commonly used package but names it similar to the original one. If a user makes a typo while downloading these packages, they end up downloading the malicious package instead.
The damage done: Six packages found infected
The following six packages were found to be infected. As mentioned above, the packages were downloaded about 5000 times combined. Here’s a breakdown of their download numbers (download numbers are taken from PePy)
- maratlib: 2,439
- maratlib1: 388
- matplatlib-plus: 936
- mllearnlib: 314
- mplatlib: 330
- learninglib: 644
These packages were posted by someone named ‘nedog123’ on PyPI, with some packages going back as far as April this year.
The malicious code was inserted in the setup.py files of these packages and ran when the package was being installed. This caused the infected PC to either use ubqminer or T-Rex crypto miners to mine crypto and send it over to the attacker’s crypto wallet 0x510aec7f266557b7de753231820571b13eb31b57.
How were the Cryptomining packages caught?
These typosquats have a lot of heavily obfuscated code that attempted to connect to Github. Further investigation by Sharma into previous versions of the malicious package ‘maratlib’ unveiled that the code downloads and runs a Bash script from Github every time the package is installed, triggering the setup.py file.
However, the URL servicing the Bash script was giving a 404 (not found) error. In fact, in every package version, the URL refers to the Bash script, which was called different names such as seo.sh, aza.sh, aza2.sh or aza-obf.sh wasn’t functional.
It appeared later on that the author had switched aliases, eventually landing on ‘maratoff’, where some of the scripts were found. Upon closer inspection, one can clearly see the ubqminer mining for crypt and sending it back over the attacker’s wallet along with doing other tasks such as reporting the hash rate.
In the News: Lenovo expands its Go wireless accessories lineup