Hundreds of npm and PyPI Packages Found Dropping Linux Cryptominers

Key observations

• At least 33 packages on PyPi were observed installing crypto mining software XMRig following a Linux system infection.
• The threat actor published another set of 22 packages with the same malicious payload, targeting Linux systems and installing the cryptomining software.
• The Python packages contain code that downloads the Bash script from the threat actor's server.
• Upon execution, the script notifies the threat actor of the IP address of the compromised host and whether the deployment of cryptominers succeeded.

How are the packages identified?

• The malicious packages were found through a developer and researcher’s side project called the Package Observatory Club, which queries and stores metadata about all new packages uploaded to PyPI and runs some heuristics. In case any package looked suspicious enough, the project alerted the researcher.
• Just last week, Sonatype spotted 186 malicious packages flooding the npm registry that infect Linux hosts with cryptominers by downloading a malicious Bash script from the threat actor's server.

Similar incidents

• PyPi packages target Counter-Strike servers: A dozen malicious Python packages were uploaded to the PyPi repository last weekend to conduct a typosquatting campaign that attacks Counter-Strike 1.6 servers with DDoS attacks.
• PyPi packages steal developer credentials: In early August, threat analysts discovered 10 malicious Python packages on the PyPI repository, used to infect developers' systems with password-stealing malware.

Conclusion