Python Repo CryptoMined

Researchers uncovered six malicious typosquatting packages in the official Python programming language’s PyPI repository, laced with cryptomining malware.

Python Package Index or PyPI is a software code repository created in Python language. Like other repositories such as npm, GitHub, and RubyGems, PyPI is a part of the software supply chain. It offers a place where coders can upload software packages that developers use while building different applications and services.

The fake packages had been submitted by a single author using the ID “nedog123,” and some of them date as far back as April 2021. The packages contained instructions in the setup.py files that download and install cryptomining malware onto systems after getting installed.

A single malicious package can be used in multiple projects, infect the device with cryptominers or info-stealers, etc., thus, making the remediation process extremely difficult.

Malicious Packages Details

• maratlib: 2,371 downloads
• maratlib1: 379 downloads
• matplatlib-plus: 913 downloads
• mllearnlib: 305 downloads
• mplatlib: 318 downloads
• learninglib: 626 downloads

Many of them are Typosquats, with 1 character off or similar to other machine learning packages on PyPI like “mplatlib” instead of the original “matplotlib.”

The malware may not affect most users if they use advanced antivirus protection. That’s because such machine learning packages are usually targeted at researchers using expensive, high-performance Linux devices.