PyPI Package ‘secretslib’ Drops Fileless Linux Malware to Mine Monero
The curious case of 'secretslib'—a fileless cryptominer Sonatype has identified a 'secretslib' PyPI package that describes itself as "secrets matching and verification made easy." On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware ... Read More
Ransomware in PyPI: Sonatype Spots ‘Requests’ Typosquats
Sonatype has identified multiple malicious Python packages that contain ransomware scripts. These packages are named after a legitimate, widely known library called 'Requests.' ... Read More
StringJS Typosquat Deploys Discord Infostealer Obfuscated Five Times
An npm package called 'stringjs_lib' was identified by Sonatype this week. The package typosquats the popular npm library 'string' (or StringJS) and ships a Discord info-stealer obfuscated not one, five times ... Read More
This Week in Malware—John Deere dependency confusion attempt and more
This Week in Malware we discovered and analyzed 17 packages, at least a dozen of which were dependency confusion PoCs directly targeting the agricultural equipment giant John Deere (Deere & Company) ... Read More
John Deere dependency confusion attempt flagged by Sonatype
This week Sonatype identified 17 npm packages, at least 12 of which directly target John Deere's private npm dependencies via dependency confusion, a technique that continues to repeatedly be employed by bug bounty hunters and malicious actors alike when targeting open source packages. John Deere, or more specifically, Deere & Company, ... Read More
This Week in Malware—July 15th Edition
This Week in Malware we discovered and analyzed multiple PyPI and npm packages that are either dependency confusion candidates, prank packages, contain PoC reverse shell code, or were otherwise flagged as suspicious for containing extensive obfuscation without good reason ... Read More
This Week in Malware—Python packages peek into your Telegram, set up Windows RDP access
This Week in Malware we discovered and analyzed multiple malicious PyPI packages that either set up new Remote Desktop user accounts on your Windows computer or steal encrypted Telegram data files from your Telegram Desktop client ... Read More
PyPI Packages Steal Telegram Cache Files, Add Windows Remote Desktop Accounts
This week Sonatype has discovered multiple malicious PyPI packages that either set up new Remote Desktop user accounts on your Windows computer or steal encrypted Telegram data files from your Telegram Desktop client ... Read More
This Week in Malware—Python Cryptominers, 345 Dependency Confusion Packages
This Week in Malware, highlights include an influx of hundreds of dependency confusion packages with diverse targets and a 'python-dateutils' PyPI package that attempts to typosquat the vastly known Python module, dateutil ... Read More
python-dateutils—A Cryptominer in Disguise Targeting Windows, Linux, macOS
You've probably heard of the Python module 'dateutil'. The module offers powerful extensions to the standard datetime library extensively used by Python developers. Yesterday, however, Sonatype's automated malware detection system caught a suspicious PyPI package called 'python-dateutils' that mines Monero (XMR) cryptocurrency on your system—whether Windows, Linux, or macOS, and ... Read More