PyPI cryptomining malware

Sonatype catches a new PyPI cryptomining malware where the malicious typosquatting packages infiltrating the PyPI repository that secretly pulls in cryptominers on the affected machines.

Python Package Index (PyPI) Packages

  • maratlib
  • maratlib1
  • matplatlib-plus
  • mllearnlib
  • mplatlib
  • learninglib

The counterfeit components were revealed by Sonatype’s automated malware detection system, Release Integrity, which is part of the next-gen Nexus Intelligence engine.

The analysis was done mainly on the “maratlib” package since most other malicious components just pull in this one as a dependency. Some of these packages are “typosquats,” or programs that are expected to be grabbed by people accidentally typing in the wrong name.

For instance, the counterfeit “mplatlib” and “matplatlib-plus” are named after the legitimate Python plotting software “matplotlib.”

As observed, for each of these packages, the malicious code is contained in the setup.py file which is a build script that runs during a package’s installation.

Bash scripts run cryptominers on compromised machines. The bash script pulled in by the malicious PyPI package further downloads a cryptominer called “Ubqminer.”

Research says, ever since their release, these packages have scored 5,000 downloads altogether. Sonatype has been tracing novel brandjacking, cryptomining, and typosquatting malware lurking in software repositories.

These PyPI packages have been lurking on the repository for months, targeting developer systems to turn them into cryptominers. Release Integrity’s experimental runs have managed to catch over 3,157 PyPI packages. These components are either confirmed malicious, previously known to be malicious, or dependency confusion copycats.

The moment, Release Integrity flags a package or a dependency as “suspicious,” it undergoes a quarantine queue for manual review by the Sonatype Security Research Team. In the meantime, users of the Nexus Firewall are protected from these suspicious packages.

Also, users who have enabled the “Dependency Confusion Policy” feature will get proactive protection from dependency confusion attacks. This works whether conflicting package names exist in a public repository or your private, internal repository.

Therefore the company’s analysis tools are consistently catching and blocking counterfeit and malicious software components before they strike modern software supply chains. In effect, the report says that Release Integrity has identified above 12,000 suspicious npm open source packages.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.