Beware: 3 Malicious PyPI Packages Found Targeting Linux with Crypto Miners
Jan 04, 2024
Cryptocurrency Miner / Malware
 Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.  The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down.  "These packages, upon initial use, deploy a CoinMiner executable on Linux devices," Fortinet FortiGuard Labs researcher Gabby Xiong  said , adding the activity shares overlaps with a  prior campaign  that involved the use of a package called culturestreak to deploy a crypto miner.   The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script ("unmi.sh") that fetches a configuration file for the mining activity as well as the CoinMiner file  hosted on GitLab .  The  ELF binary  file is then executed in the background using the  nohup command , thu...