Threat Watch

Typo Squatting, Malicious NPM and PyPI Packages, and Crypotimers

Over 200 malicious packages were discovered to have been uploaded to the Python Package Index (PyPI) and NPM repositories by the security researcher Huake Lübbers via his “Package Observatory Club” project. These sites are two of the largest and most known repositories for Python and Javascript packages. The Package Observatory Club is an application that allows for the querying, storing, and analysis of metadata from all new packages that are uploaded to to PyPI and NPM.


A large number of these packages were found to be typoquatting. Typosquatting is a tactic used by malicious actors to name their packages similarly to other prominent packages. Examples in this instance involve packages such as “iohttp” and “aiohtp”, which attempt to spoof the prominent package “AIOHTTP” in order to lead targets to download the XMRig Monero Miner onto their systems.

ANALYST NOTES

While a large number of these malicious packages was found in each repository, the researcher noted that all were taken down promptly after they were reported to the site’s administrators. This report follows many similar attacks on repositories. Often, the detection of these malicious packages is done by just a handful of volunteers, which allows malicious actors to upload malware to the sites with relative ease: new malicious packages are uploaded soon after others are removed. In the end, it is up to the end user to use appropriate due diligence when searching for the legitimate package that they need. Organizations should ensure that developers are being vigilant in examining any typos in the package name that may indicate the package is illegitimate.

https://www.bleepingcomputer.com/news/security/241-npm-and-pypi-packages-caught-dropping-linux-cryptominers/