Python and JavaScript Repositories are Now Under Critical Investigation
An active malware campaign is targeting official Python and JavaScript repositories
An active malware campaign is targeting official Python and JavaScript repositories. Software supply chain security firm Phylum spotted the campaign. Phylum said that it came across Python and JavaScript campaign after noticing a flurry of activity around typosquats of the popular JavaScript and Python requests package.
Typosquats take advantage of simple typos to install malicious packages. In this case, the PyPI typos include: dequests, requests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests. Later on the company tracked down the attacker publishing the following NPM packages that also take advantage of typosquatting: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr. As clones of the official libraries, they often go unnoticed until it's too late.
Getting dependent on the OS of the victim's device, this particular malware downloads a relevant Golang binary. When executed, the desktop background of the victim's computer is updated with a fake CIA image and the malware will attempt to encrypt some files. A README file is placed by the malware on the desktop that asks the user to contact the individual on Telegram and pay "a small fee of $100" in BTC, ETH, LTC, or XMR. In case we fail to do so, it will result in the deletion of the decryption key, the hacker claims. According to Phylum, the attack is ongoing (as of 13 December 2022) but a new version of the ransomware has been released that has also limited the supported architectures.
About Phylum
This company has first spotted that Python and JavaScript repositories that are under investigation. Phylum is a service that analyzes open-source software packages for indicators of risk. This enables Phylum to protect software developers and build pipelines and software products from malicious code, vulnerabilities, and bad actors. The company's big data platform ingests all the packages in software ecosystems and proactively uses graph theory, machine learning, and various analysis techniques to develop a risk score. These risk scores are then used to understand how open-source software can affect the security posture of products that use it. The company was founded in 2020 and is based in Evergreen, Colorado.
