Once again, Sonatype reports the detection of malicious code in six packages in the Python software repository PyPI (Python Package Index). All packages come from the same author and indirectly download a bash script, which in turn tries to install a crypto mining tool.
The oldest packages are from April. In total, the packages come to 5000 downloads, whereby the number of users affected probably only accounts for about half: The code for downloading the bash script is in the most frequently downloaded file, which in turn is reloaded by the other packages.
Typosquatting for data science projects
The packages give with the names
learninglib a proximity to data science and machine learning. Some probably rely on typosquatting, i.e. malicious code in packages with names that are similar to popular packages. They often deliberately contain typing errors or separators such as underscores or hyphens or additions to names such as
Obviously the package is starting
maratlib the attack, and most of the other packages listed it as a direct dependency in order to reload it. The malicious code that is in the installation routine
setup.py is in the current version 1.0 of
maratlib heavily obscured, but according to Sonatype, version 0.6 contains the download of a bash script from GitHub in plain text.
The script can no longer be found under the name or the URL used in the old version, but a further search probably found suitable bash scripts under the author’s alias, which load the crypto mining tool Ubqminer. The latter is modified accordingly in order to direct the mining contract to a specific wallet.
Focus on package managers and version control services
The procedure is not an isolated case: security researchers repeatedly report malicious code in packages on platforms such as PyPI or npm. In addition to typosquatting, brandjacking has established itself, in which the packages with the names of well-known manufacturers such as Twilio are given a seemingly serious coating. Google recently proposed a framework against supply chain attacks that, among other measures, should prevent the inadvertent use of packages with malicious code.
Expand this year heise Developer, heise Security and dpunkt.verlag the conference for secure software development heise devSec at three theme days. June 29th is on the DevSecOps tag The focus is on securing the pipeline and thus protecting the supply chain. The Web Application Security Day themed on July 1st specific attacks in a lecture: “NPM: Please be patient for a moment, the next supply chain attack will be there for you in a moment.”
Irrespective of the fluctuations in the value of the cryptocurrencies, mining is very popular with attacks: In April, malicious code used GitHub’s CI / CD service (Continuous Integration / Continuous Delivery) for a cryptomining tool. In May, GitLab announced measures to counter similar attacks.
More details on the latest attack can be found in the related blog post. Sonatype has informed the PyPI operator, some of the packages mentioned, including
maratlib, were still in the repository when this message was written.