New Typosquatting Campaign Targets PyPI and NPM

Diving into details

• One of the binaries is ransomware that will update the victim’s desktop background and encrypt some files, upon encryption.
• Soon, however, the threat actors started publishing multiple npm packages that behave similarly. They ask for $100 in BTC, XMR, ETH, or LTC for the decryption key.
• As of Friday, the list of PyPI packages include rdquests, reauests, reduests, reeuests, reqhests,dequests, fequests, gequests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.
• The malicious npm packages include discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr.

Threats to PyPI and npm

• In the same month, researchers spotted 29 malicious packages, operating online as typosquatted names of genuine packages, and were downloaded over 5,700 times. Among these 29 packages, 27 dropped the W4SP infostealer.
• In October, LofyGang was spotted delivering 200 malicious packages and fraudulent hacking tools on npm and GitHub. It aimed to steal credit card details and user accounts from Discord Nitro, gaming, and streaming services.

The bottom line