Researchers at security firm Sonatype have uncovered six malicious typosquatting packages in the official Python programming language’s PyPI repository, laced with cryptomining malware.
Sonatype provides software supply chain automation services. The six packages were downloaded more than 5000 times. Sonatype security researchers wrote in their report that:
“Our analysis tools are consistently catching and blocking counterfeit and malicious software components before they strike modern software supply chains.”
What is PyPI?
Python Package Index or PyPI is a software code repository created in Python language. Like other repositories such as npm, GitHub, and RubyGems, PyPI is a part of the software supply chain. It offers a place where coders can upload software packages that developers use while building different applications and services.
Sonatype researchers noted that the fake packages had been submitted by a single author using the ID “nedog123,” and some of them date as far back as April 2021. The packages contained instructions in the setup.py files that download and install cryptomining malware onto systems after getting installed.
According to researchers, a single malicious package can be used in multiple projects, infect the device with cryptominers or info-stealers, etc., thus, making the remediation process extremely difficult.
Malicious Packages Details
The fake PyPI packages are as follows
- maratlib: 2,371 downloads
- maratlib1: 379 downloads
- matplatlib-plus: 913 downloads
- mllearnlib: 305 downloads
- mplatlib: 318 downloads
- learninglib: 626 downloads
Many of them are Typosquats, with 1 character off or similar to other machine learning packages on PyPI like “mplatlib” instead of the original “matplotlib.”
The malware may not affect most users if they use advanced antivirus protection. That’s because such machine learning packages are usually targeted at researchers using expensive, high-performance Linux devices.