Welcome! Accelerate Your Discovery

Be a part of a committed society that is shaping the future of knowledge Search

Malware Strains Targeting Python and JavaScript Developers Through Official Repositories

Home | Technology | S.I.S 17th December, 2022

0 Comment(s)


An active malware campaign is targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains.

The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.

According to Phylum, the rogue packages embed source code that retrieves a Golang-based ransomware binary from a remote server depending on the victim's operating system and microarchitecture.

Successful execution causes the victim's desktop background to be changed to an actor-controlled image that claims to the U.S. Central Intelligence Agency (CIA). It's also designed to encrypt files and demand a $100 ransom in cryptocurrency.

In a sign that the attack is not limited to PyPI, the adversary has been spotted publishing five different modules in npm: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr.

"The attacker has also published several npm packages that behave in a similar manner," Phylum CTO Louis Lang said, adding each of the libraries contain the JavaScript equivalent of the same code to deploy the ransomware.

The findings come as ReversingLabs uncovered a tranche of 10 additional PyPI packages pushing modified versions of the W4SP Stealer malware as part of an ongoing supply chain attack aimed at software developers that's believed to have started around September 25, 2022.

That's not all. Earlier this month, Israel-based software supply chain security firm Legit Security demonstrated a new attack technique against a Rust repository ("rust-lang") that abuses GitHub Actions to poison legitimate artifacts.

Build artifacts are the files created by the build process, such as distribution packages, WAR files, logs, and reports. By replacing the actual modules with trojanized versions, an actor could steal sensitive information or deliver additional payloads to all its downstream users.

"The vulnerability was found in a workflow called 'ci.yml' which is responsible for building and testing the repository's code," Legit Security researcher Noam Dotan said in a technical write-up.

By exploiting this weakness, an attacker could trick the GitHub workflow into executing a malware-laced artifact, effectively making it possible to tamper with repository branches, pull requests, issues, and releases.

The maintainers of the Rust programming language addressed the issue on September 26, 2022, following responsible disclosure on September 15, 2022.

Have a conversation

Keep community guidline!

No record found

Hi, would you like to be the first to comment!
5th August, 2023 • Opinion

Scholar Indexing Society Thesis Topics


Read more

22nd July, 2023 • Opinion

On the shoulders of giants

Read more

21st June, 2023 • Special Issues

Pursuing a PhD in Informatics

Read more


Search SIS !

Articles, journal, project, hall of fame

Username or Email

Don't have an account? Register

Already have an account? Login

Copyright © Scholar Indexing Society All Rights Reserved.