HomesecurityMalicious PyPI packages violate cryptomining machines

Malicious PyPI packages violate cryptomining machines

In recent days, many malicious packages have been detected on PyPI repository for Python projects που turned developer workstations into cryptomining machines.

See also: Python Package Index (PyPI) and GitLab are subject to spam attacks


All malicious packages were posted from the same account and tricked various developers into downloading them thousands of times, using the names of legitimate Python projects, which, however, were misspelled.

A total of six packages containing malicious code infiltrated Python Package Index (PyPI) in April:

  • maratlib
  • maratlib1
  • matplatlib-plus
  • mllearnlib
  • mplatlib
  • learninglib

All six came from the user "nedog123" and the names of most of them are related to the legal plotting software, Matplotlib (but not spelled correctly).

Ο Ax Sharma, security researcher at the company Sonatype, analyzed the “maratlib” package, noting that it was used as dependency on other malicious elements.

"For each of these packages, the malicious code is included in the file, which is a build script that runs when you install a package.", Writes the researcher.

While analyzing the package, the researcher also found that maratlib was trying to download a Bash script ( from a GitHub repository that is no longer available.

Through his analysis, Sharma found that the role of the script was to run a cryptominer called "UbqminerOn the compromised computer.

See also: Hackers install cryptomining malware on unpatched Microsoft Exchange servers

PyPI malicious packages
Malicious PyPI packages violate cryptomining machines

The researcher also mentioned that its creator malware replaced the default Kryptex wallet address with its own for mining of Ubiq cryptocurrency (UBQ).

In another variation, the script included a different cryptomining program that uses GPU power, the open-source T-Rex.

See also: Windows and Linux devices are attacked by a new cryptomining worm

Attackers often target open-source code repositories, such as PyPI, NPM for NodeJS ή RubyGems.

In this case, the six malicious packages were detected by Sonatype after scanning the PyPI repository with the automated malware detection system, Release Integrity. By the time they were located, the malicious packages had almost been collected 5.000 downloads (since April), with "maratlib" recording the highest number of downloads, 2.371.

Source: Bleeping Computer

Digital Fortress
Pursue Your Dreams & Live!