3 Malicious PyPI Packages Discovered Concentrating on Linux with Crypto Miners

Share This Post

Jan 04, 2024NewsroomCryptocurrency Miner / Malware

Crypto Miners

Three new malicious packages have been found within the Python Bundle Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux gadgets.

The three dangerous packages, named modularseven, driftme, and catme, attracted a complete of 431 downloads over the previous month earlier than they had been taken down.

“These packages, upon preliminary use, deploy a CoinMiner executable on Linux gadgets,” Fortinet FortiGuard Labs researcher Gabby Xiong said, including the marketing campaign shares overlaps with a prior campaign that concerned using a package deal known as culturestreak to deploy a crypto miner.


The malicious code resides within the __init__.py file, which decodes and retrieves the primary stage from a distant server, a shell script (“unmi.sh”) that fetches a configuration file for the mining exercise in addition to the CoinMiner file hosted on GitLab.

The ELF binary file is then executed within the background utilizing the nohup command, thus guaranteeing that the method continues to run after exiting the session.

“Echoing the method of the sooner ‘culturestreak’ package deal, these packages conceal their payload, successfully decreasing the detectability of their malicious code by internet hosting it on a distant URL,” Xiong mentioned. “The payload is then incrementally launched in numerous phases to execute its malicious actions.”

The connections to the culturestreak package deal additionally stems from the truth that the configuration file is hosted on the area papiculo[.]internet and the coin mining executables are hosted on a public GitLab repository.


One notable enchancment within the three new packages is the introduction of an additional stage by concealing their nefarious intent within the shell script, thereby serving to it evade detection by safety software program and lengthening the exploitation course of.

“Furthermore, this malware inserts the malicious instructions into the ~/.bashrc file,” Xiong mentioned. “This addition ensures the malware’s persistence and reactivation on the person’s gadget, successfully extending the length of its covert operation. This technique aids within the extended, stealthy exploitation of the person’s gadget for the attacker’s profit.”

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.

Related Posts