In recent days, many malicious packages have been detected on PyPI repository for Python projects που turned developer workstations into cryptomining machines.
All malicious packages were posted from the same account and tricked various developers into downloading them thousands of times, using the names of legitimate Python projects, which, however, were misspelled.
A total of six packages containing malicious code infiltrated Python Package Index (PyPI) in April:
All six came from the user "nedog123" and the names of most of them are related to the legal plotting software, Matplotlib (but not spelled correctly).
Ο Ax Sharma, security researcher at the company Sonatype, analyzed the “maratlib” package, noting that it was used as dependency on other malicious elements.
"For each of these packages, the malicious code is included in the setup.py file, which is a build script that runs when you install a package.", Writes the researcher.
While analyzing the package, the researcher also found that maratlib was trying to download a Bash script (aza2.sh) from a GitHub repository that is no longer available.
Through his analysis, Sharma found that the role of the script was to run a cryptominer called "UbqminerOn the compromised computer.
The researcher also mentioned that its creator malware replaced the default Kryptex wallet address with its own for mining of Ubiq cryptocurrency (UBQ).
In another variation, the script included a different cryptomining program that uses GPU power, the open-source T-Rex.
Attackers often target open-source code repositories, such as PyPI, NPM for NodeJS ή RubyGems.
In this case, the six malicious packages were detected by Sonatype after scanning the PyPI repository with the automated malware detection system, Release Integrity. By the time they were located, the malicious packages had almost been collected 5.000 downloads (since April), with "maratlib" recording the highest number of downloads, 2.371.
Source: Bleeping Computer