Malware Strains Target Python and JavaScript Developers Through Official Repositories
Reading Time: 2 minutes

Malware strains target Python and JavaScript Developers via Python Package Index (PyPI) and npm official repositories with typosquatting and fake modules to deploy a ransomware strain.

Some fake Python packages are typosquatting the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste.

The rogue packages are infected and contain source code that retrieves Golang-based ransomware, depending on the victim’s operating system and microarchitecture. If executed successfully, the package will encrypt data and demand a $100 ransom in cryptocurrency, according to Phylum.

Five libraries were spotted on npm acting in the same manner: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd and telnservrr. We don’t know for sure if this is related to the PyPI campaign but it is a sign of how widespread this threat has become.

Phylum CTO Louis Lang said, “The attacker has also published several npm packages that behave in a similar manner. Each of the libraries contains the JavaScript equivalent of the same code to deploy the ransomware.”

ReversingLabs recently discovered 10 new PyPI packages pushing a modified version of the W4SP Stealer malware. This attack seems to have started around September 25, 2022, and targets developers by providing them with “free” versions of software that contain malware.

That’s not all. Recently, Israel-based security firm Legit Security demonstrated a new attack technique against the Rust repository (“rust-lang”) that abuses GitHub Actions for poisoning legitimate artifacts.Malware Strains Target Python and JavaScript Developers Through Official Repositories_1Build artifacts are the files created by the build process, such as distribution packages, WAR files, logs, and reports. This means that if a malicious actor trojanized an artifact with a module, it could steal sensitive information or deliver additional payloads to all its downstream users.

“The vulnerability was found in a workflow called ‘ci.yml,'” Legit Security Noam Dotan said in his technical analysis of the problem.Malware Strains Target Python and JavaScript Developers Through Official Repositories_2This exploit would allow an attacker to foist malware onto a GitHub workflow and tamper with repository branches, pull requests, issues, or releases.

A group of volunteers who maintain the Rust programming language released a patch on September 26, 2022, following responsible disclosure on September 15, 2022.

Related Articles:
Why Not to Become a Self-Taught Ethical Hacker in 2023?
How Elite Hackers Made Almost $1 Million Last Week
Royal Ransomware Threat Targets the U.S. Healthcare System