Pypi malicious packages take control of developer devices for crypto mining

Multiple malicious packages turned developers’ workstations into crypto mining machines using the PyPi repository and involving in Python projects. It is found that all those malicious packages were deployed from one single account and have made developers to download the same by tricking them into it using the usual typo tactics that disguise themselves as legitimate links.

PyPi malicious packages via Bash scripts

It is found that six packages were of malicious intent and had entered into the Python Package Index (PyPI), that includes mplatlib, learninglib, mllearnlib, matplatlib-plus, maratlib, and maratlib1.

The account that had deployed these malicious packages is ‘nedog123’ found by a security researcher Ax Sharma working at Sonatype, gave the details of it in his blog post. After some tracking back and analysis, Sharma found that the script tried to download a Bash script frpm GitHub and its role was to run a cryptominer called ‘Ubqminer’ in the host machine.

It seems there is another variant that uses GPU power to mine the cryptocurrency.

What is the threat behind such malicious acts?

When developers use these codes/scripts into a project they are working on, they will include these crypto miners into their program/application they work on, and this could get into production thus benefiting the cyber criminals with the mining and affecting the recipient/host of the application and the device.

These six packages were detected using Sonatype after scanning the repository, unfortunately these Pypi malicious packages have already recorded 5000 downloads since April and the malicious package named ‘maratlib’ was the top downloaded one among the six counting to 2371. So if you’re a developer and are reading this article, please verify you aren’t a victim of this malicious packages. Also, share this with your developer community.