Over 200 malicious packages were discovered to have been uploaded to the Python Package Index (PyPI) and NPM repositories by the security researcher Huake Lübbers via his “Package Observatory Club” project. These sites are two of the largest and most known repositories for Python and Javascript packages. The Package Observatory Club is an application that allows for the querying, storing, and analysis of metadata from all new packages that are uploaded to to PyPI and NPM.
A large number of these packages were found to be typoquatting. Typosquatting is a tactic used by malicious actors to name their packages similarly to other prominent packages. Examples in this instance involve packages such as “iohttp” and “aiohtp”, which attempt to spoof the prominent package “AIOHTTP” in order to lead targets to download the XMRig Monero Miner onto their systems.