Microsoft: Cyberattacks Against Ukraine and NATO Nations on Rise

An unknown threat actor is publishing malicious Python and npm packages to their major registries, hoping to install cryptominers on the victims’ systems.

Aimed at Linux systems, the campaign is mostly based on typosquatting to get unsuspecting devs and use their machines for mining cryptocurrency. Both the npm registry and PyPI have removed over 240 malicious packages of such till now.

Malicious npm and Python Packages

With millions of developers – including the big companies – seeking JavaScript and Python P
packages for their software, it’s no wonder that threat actors target the registries hosting them. Though the popular ones – npm and PyPI registries mandated a 2FA protection to high priority accounts, it still wasn’t enough.

Lately, a threat actor is seen pushing hundreds of malicious npm and Python packages to concerned registries with scripts for mining cryptocurrency. The typo-squatted popular packages like  Reactargparse, and AIOHTTP,  – which may potentially get installed by unsuspecting developers.

When they install, the packages contain a bash script to procure an XMRig – a cryptocurrency for minting Monero coins – from the hacker’s servers remotely and start minting coins for him using the victim’s resources.

This was spotted by a software developer named Hauke Lübbers, who pointed to “at least 33 projects” on PyPI and 22 other packages in the npm registry – all carrying an XMRig and started mining right after installation.

Adding to these, the Sonatype security team has disclosed another 186 npm typosquatting packages from the hacker’s server URL, making the total count of about 241 malicious packages till now. Upon informing the concerned registries, they removed all these 241 packages immediately.

Yet, it’s an alarming situation for developers, who’re advised to proceed with caution while interacting with any npm or Python package for their project.

Other Trending News:-  News


Please enter your comment!
Please enter your name here