January 4, 2024 at 06:24AM
Three new malicious packages discovered in the Python Package Index (PyPI) repository can deploy a cryptocurrency miner on affected Linux devices. The packages, modularseven, driftme, and catme, attracted 431 downloads before being removed. They conceal their payload, deploy a CoinMiner executable, and persistently exploit devices, evading detection and security software.
Based on the meeting notes, the key takeaways are:
– Three new malicious packages – modularseven, driftme, and catme – were discovered in the Python Package Index (PyPI) with the ability to deploy a cryptocurrency miner on affected Linux devices.
– The packages attracted a total of 431 downloads before being taken down.
– The malicious code resides in the __init__.py file and deploys a CoinMiner executable, concealed in a remote URL, to execute its malicious activities in various stages.
– The malicious packages also insert commands into the ~/.bashrc file for persistence and reactivation on the user’s device.
– There are connections to the prior ‘culturestreak’ package campaign, including hosting the configuration file on the domain papiculo[.]net and the coin mining executables on a public GitLab repository.
– The new packages introduce an extra stage by concealing their nefarious intent in the shell script, aiding in prolonged, stealthy exploitation of the user’s device.
These takeaways provide a clear summary of the important details and implications discussed in the meeting notes.