A large number of these packages were found to be typoquatting. Typosquatting is a tactic used by malicious actors to name their packages similarly to other prominent packages. Examples in this instance involve packages such as “iohttp” and “aiohtp”, which attempt to spoof the prominent package “AIOHTTP” in order to lead targets to download the XMRig Monero Miner onto their systems.
While a large number of these malicious packages was found in each repository, the researcher noted that all were taken down promptly after they were reported to the site’s administrators. This report follows many similar attacks on repositories. Often, the detection of these malicious packages is done by just a handful of volunteers, which allows malicious actors to upload malware to the sites with relative ease: new malicious packages are uploaded soon after others are removed. In the end, it is up to the end user to use appropriate due diligence when searching for the legitimate package that they need. Organizations should ensure that developers are being vigilant in examining any typos in the package name that may indicate the package is illegitimate.