Select Page

An active malware campaign is targeting the Python Package Index (PyPI) and npm repositories for Python and JavaScript with typosquatted and fake modules that deploy a ransomware strain, marking the latest security issue to affect software supply chains.

The typosquatted Python packages all impersonate the popular requests library: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.

According to Phylum, the rogue packages embed source code that retrieves a Golang-based ransomware binary from a remote server depending on the victim’s operating system and microarchitecture.

Successful execution causes the victim’s desktop background to be changed to an actor-controlled image that claims to the U.S. Central Intelligence Agency (CIA). It’s also designed to encrypt files and demand a $100 ransom in cryptocurrency.

In a sign that the attack is not limited to PyPI, the adversary has been spotted publishing five different modules in npm: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr.

images from Hacker News