Package Manager: Malicious Code Cryptomining on PyPI Targets Data Science Projects



Once again, Sonatype reports the detection of malicious code in six packages in the Python software repository PyPI (Python Package Index). All packages come from the same author and indirectly download a bash script, which in turn tries to install a crypto mining tool.

The oldest packages date from April. In total, the packages represent 5,000 downloads, with the number of affected users probably only being about half: the download code for the bash script is in the most frequently downloaded file, which in turn is uploaded by others. packages.

Packages give with names maratlib, maratlib1, matplatlib-plus, mllearnlib, mplatlib and learninglib proximity to data science and machine learning. Some probably rely on typosquatting, which is malicious code in packages with names similar to popular packages. They often deliberately contain typos or separators such as underscores or dashes or additions to names such as plus.

Obviously the package begins maratlib attack, and most of the other packages listed it as a direct dependency in order to reload it. The malicious code that is in the installation routine is in current version 1.0 of maratlib heavily obscured, but according to Sonatype version 0.6 contains a download of a bash script from GitHub in plain text.

Calling the GitHub repository URL in the old version of the malicious package now returns nothing.

(Bild: Sonatype)

The script can no longer be found under the name or URL used in the old version, but further research has likely found suitable bash scripts under the author’s alias, which load the crypto mining tool. Ubqminer. The latter is modified accordingly in order to orient the mining contract towards a specific portfolio.

The procedure is not an isolated case: Security researchers repeatedly report malicious code in packages on platforms such as PyPI or npm. In addition to typosquatting, brandjacking has established itself, in which packaging with the names of well-known manufacturers such as Twilio receives a seemingly serious coating. Google recently proposed a framework against supply chain attacks that, among other measures, should prevent the inadvertent use of packages containing malicious code.

Develop this year Developer heise, heise Security and dpunkt.verlag the conference for the development of secure software heise devSec during three thematic days. June 29 is on the DevSecOps tag The focus is on securing the pipeline and thus protecting the supply chain. Web Application Security Day was themed on the specific attacks of July 1 in a conference: “NPM: Please wait a moment, the next supply chain attack will be here for you in a moment.” “

Regardless of fluctuations in the value of cryptocurrencies, mining is highly prized for attacks: In April, malicious code used GitHub’s CI / CD (Continuous Integration / Continuous Delivery) service for a cryptomining tool. In May, GitLab announced measures to counter similar attacks.

More details on the latest attack can be found in the related blog post. Sonatype has informed the operator PyPI, some of the mentioned packages including maratlib, were still in the repository when this message was written.


Disclaimer: This article is generated from the feed and not edited by our team.



Comments are closed.