Official Python repository used to distribute cryptomining malware
Security research firm Sonatype, which focuses on software supply chain management security, has identified six different Python packages containing malware on the official Python software repository PyPI. The malicious packages all contained instructions in their setup.py setup files that would download and install cryptomining malware onto systems that install the packages.
The packages themselves were downloaded almost 5,000 times in the last few months, and were posted by a user named nedog123. The packages in question are:
- maratlib: 2,371
- maratlib1: 379
- matplatlib-plus: 913
- mllearnlib: 305
- mplatlib: 318
- learninglib: 626
Some of them are clearly meant as “typosquats”, named 1 character off or very similarly to popular machine learning packages on PyPI such as “mplatlib” instead of the official “matplotlib”. This kind of supply-chain security attack is making companies very nervous right now although this one does not seem to do anything more than steal some system resources.
Sonatype details out exactly how they were able to detect the cryptominer, even though the packages were heavily obfuscated and called other packages from github. The blog post is very interesting if malware research is up your alley, and even though it reads a bit like an ad for their Release Integrity software, it is an effective one.
This kind of malware should not affect most users that might be running advanced antivirus protection, these were machine learning packages targeted at researchers with expensive high performance linux machines.