In the PyPI repository for Python projects that transformed workstations developers into crypto mining machines, many malicious packaging were captured this week.
All malicious packages were uploaded on the very same account and the developers tried to install them by using the wrong names for the genuine Python projects, thousands of times.
The Python Package Index is the official third-party
Python software repository is stylized as PyPI and is also referred to as the Cheese Shop. It's the same as CPAN, Perl's repository. Some package managers, notably pip, use PyPI for packages as the default source.
In April, a total of six harmful packages were infiltrated with the Python Package Index (PyPI) - maratlib, maratlib1, matplatlib-plus, mllearnlib, mplatlib, learning lab.
Everything comes from "nedog123" and also most names are misspelled versions of the genuine plot program matplotlib.
The "maratlib" packet was evaluated by Ax Sharma, a security researcher at Sonatype, in a blog post. He said the packages were utilized for other malicious components to make them dependent.
The researcher writes, “For each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation.” Sharma determined that it was attempting to download a Bash script (aza2.sh) from a non-existent GitHub repository during the analyses.
The author's aliases were tracked by Sharma on GitHub using open-source intelligence and learned that the script's job was to operate an "Ubqminer" crypto miner on the compromised machine.
The researcher also observes that the creator of malware altered the standard Kryptex wallet address with his own to mine for Ubiq cryptocurrency (UBQ).
The script has another crypto mining program in a separate version, the open-source T-Rex that uses GPU power.
Attackers routinely target open-source code repositories such as PyPI [1, 2, 3], NPM for NodeJS [1, 2, 3], or RubyGems. Although the detection is minimal when there is are low downloads, as usual, there is a major risk that developers would incorporate the malicious code occasionally utilized in applications.
