Newly Uncovered PyPI Package Drops Fileless Cryptominer to Linux Systems
Aug 15, 2022
A now-removed rogue package pushed to the official third-party software repository for Python has been found to deploy cryptominers on Linux systems. The module, named " secretslib " and downloaded 93 times prior to its deletion, was released to the Python Package Index (PyPI) on August 6, 2022 and is described as "secrets matching and verification made easy." "On a closer inspection though, the package covertly runs cryptominers on your Linux machine in-memory (directly from your RAM), a technique largely employed by fileless malware and crypters," Sonatype researcher Ax Sharma disclosed in a report last week. It achieves this by executing a Linux executable file retrieved from a remote server post installation, whose main task is to drop an ELF file (" memfd ") directly in memory that functions as a Monero cryptominer, after which it gets deleted by the "secretslib" package. "The malicious activity leaves little to n