Cryptominers Slither into Python Projects in Supply-Chain Campaign
#1
Information 
Quote:A group of cryptominers was found to have infiltrated the Python Package Index (PyPI), which is a repository of software code created in the Python programming language.
 
Similar to other repositories like GitHub, npm and RubyGems, PyPI is part of the software supply chain. It offers a place where coders can upload software packages for use by developers in building various applications, services and other projects. Unfortunately, a single malicious package can be baked into multiple different projects – infecting them with cryptominers, info-stealers and more, and making remediation a complex process.

Researchers at Sonatype found six different malicious packages hiding in PyPI, which have a collective 5,000 downloads, all uploaded by a user with the handle “nedog123,” according to a Tuesday blog post.
 
These consist of a main package called “maratlib,” along with five others that use maratlib as a component: maratlib1; matplatlib-plus; mllearnlib; mplatlib and learninglib.
 
“Also, some of these packages are typosquats, or programs that are expected to be grabbed by people accidentally typing in the wrong name,” wrote Sontaype researcher Ax Sharma in the posting. “For example, the counterfeit mplatlib and matplatlib-plus are named after the legitimate Python plotting software [called] matplotlib.”

Read more: Cryptominers Slither into Python Projects in Supply-Chain Campaign | Threatpost
[-] The following 1 user says Thank You to silversurfer for this post:
  • harlan4096
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
uBOLite_2024.12.23.23
uBOLite_2024.12.23...harlan4096 — 10:29
You found a seed phrase from someone els...
Scammers have inve...harlan4096 — 09:58
Google files remedies proposal in DOJ's ...
The U.S. Departmen...harlan4096 — 09:48
PowerToys 0.87.1
PowerToys 0.87.1 ...harlan4096 — 09:46
GFYI [Official] EaseUS Christmas 2024 B...
Merry Christmas and ...zevish — 08:07

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>