Sonatype has identified malicious typosquatting packages infiltrating the PyPI repository that secretly pull in cryptominers on the affected machines.

These PyPI packages are listed below, together scoring almost 5,000 downloads:

• maratlib
• maratlib1
• matplatlib-plus
• mllearnlib
• mplatlib
• learninglib

All of these were posted by the same author (“nedog123”) on PyPI, some as early as April of this year.

These counterfeit components were discovered by Sonatype’s automated malware detection system, Release Integrity, which is part of our next-gen Nexus Intelligence engine.

Our analysis tools are consistently catching and blocking counterfeit and malicious software components before they strike modern software supply chains. In fact, since launching in 2019, Release Integrity has identified over 12,000 suspicious npm open source packages, many of which have made headlines time and time again [1, 2, 3, 4,…].

While we’ve historically focused on the npm ecosystem, my colleague and data scientist Cody Nash nudged me over the weekend with these components, explaining,“these packages came while exploring other ecosystems and developing new Release Integrity malware detection capabilities.”

As observed by Sonatype with open source ecosystems like npm, Nash believes this is a trend of malicious packages infiltrating PyPI, and expects it to keep growing. A bar graph at the end of this post will explain why.

What’s inside these packages?

Our primary focus for this analysis is “maratlib” because most other malicious components simply pull in this one as a dependency. For example, this is the case for the aforementioned “learninglib”:

Image: “maratlib” dependency in the “learninglib” package

Also, some of these packages are “typosquats,” or programs that are expected to be grabbed by people accidentally typing in the wrong name. For example, the counterfeit “mplatlib” and “matplatlib-plus” are named after the legitimate Python plotting software “matplotlib. (Read more...)