ClickCease 3 Malicious PyPI Packages Hide CoinMiner on Linux Devices

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

3 Malicious PyPI Packages Hide CoinMiner on Linux Devices

Rohan Timalsina

January 17, 2024 - TuxCare expert team

In a recent cybersecurity revelation, the Python Package Index (PyPI) has fallen victim to the infiltration of three malicious packages: modularseven, driftme, and catme. These packages, although now removed, managed to amass a concerning 431 downloads within the past month, posing a significant threat to the security of Linux devices.


The Cryptocurrency Mining Connection


Researchers Gabby Xiong of Fortinet FortiGuard Labs found that these packages are similar to one that was used in a previous campaign called culturestreak after giving them a closer look. Like previous, these malicious packages deploy a CoinMiner executable on Linux devices upon initial use, making cryptocurrency mining the primary threat.

These PyPI malicious packages successfully hide their payload, reducing the detectability of their malicious code. The primary method involves hosting the payload on a remote URL, specifically in the file. This file decodes and retrieves the initial stage from a remote server, obtaining a shell script named “”, responsible for fetching a configuration file and the CoinMiner executable hosted on GitLab.


Execution and Persistence


The ELF binary file is then executed in the background using the nohup command, ensuring the sustained operation of the process even after the user exits the session. Notably, these packages exhibit an improvement over the culturestreak package by introducing an extra stage. This additional layer conceals their nefarious intent within the shell script, enhancing their ability to evade detection by security software and prolonging the exploitation process.

The hosting of the coin mining executables on a public GitLab repository and the configuration file on the domain papiculo[.]net reveal the ties to the culturestreak package. This connection highlights a worrying pattern in the distribution of harmful packages with common origins, underscoring the necessity for increased awareness among Python developers.

Additionally, the introduction of malicious commands into the ~/.bashrc file in these PyPI packages ensures the malware’s persistence and reactivation on the user’s device. This strategic move enables a prolonged, stealthy exploitation of the user’s device for the benefit of the attacker.




The discovery of these malicious PyPI packages underscores the evolving sophistication of cyber threats targeting the Python development ecosystem. Developers and security experts must remain vigilant, implementing robust measures to detect and prevent the infiltration of malicious packages.


The sources for this article include a story from TheHackerNews.

3 Malicious PyPI Packages Hide CoinMiner on Linux Devices
Article Name
3 Malicious PyPI Packages Hide CoinMiner on Linux Devices
Explore the dangers of three malicious PyPI packages, revealing their intricate tactics and the evolving risks to Python developers.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter