Malicious 'typosquat' Python packages with ransomware scripts discovered
Victims are offered the decryption key without payment, but the prank demonstrates how easy such an attack can be
Researchers at software supply chain management firm Sonatype have identified many malicious Python packages with ransomware scripts.
In a blog post detailing their findings, Sonatype researcher Ax Sharma said these packages are named after a legitimate library called 'requests' which is well-known among developers.
'Typosquatting' is a kind of phishing attack in which subtle changes are made to the names of files, emails or website addresses to make it look like a legitimate service or content.
The goal of malicious typosquatting packages is to trick an unsuspecting user or a developer into downloading the malicious package rather than the one they meant to install.
Sonatype researchers claim to have discovered three malicious PyPI (Python Package Index) packages with names similar to the legitimate 'requests' library, all of which contain ransomware scripts.
These malicious packages are:
- requesrs
- requesys
- requesr
These packages have been assigned identifier sonatype-2022-4350 by the company.
Any developer who accidentally misspells the "requests" library while trying to install or include it in their package is at risk of receiving one of the malicious packages and being infected with ransomware as a result.
The 'requesys' package, in all of its versions, includes scripts that, when run, navigate a Windows user's directories, like "Documents," "Pictures," and "Downloads," and start encrypting items.
If the package runs successfully, the user will get a pop-up message urging them to get in touch with the package author "OHR (Only Hope Remains)" via their Discord server.
The 'requesys' package has been downloaded around 258 times, according to Sonatype, although researchers only found about 15 such messages (victims) in the Discord channel.
The package author OHR (or b8ff) is offering the victims the decryption key without demanding any money in return.
b8ff told Sonatype that their package is part of a project that was "developed for fun" and that the ransomware script used in package is "completely open source".
The author thinks the package is technically harmless because no payment is sought from victims after encryption.
The Verona, Italy-based "learning developer" b8ff describes himself as a student who lately developed an interest in exploits as they are very easy to create.
"I was surprised to see how easy it was to 'create' this exploit and how interesting it was," said b8ff.
"I'm still in school and as of right now I know Python, Lua, HTML and a bit of CPP and that's it."
b8ff renamed the 'requesys' package after Sonatype contacted the author. The other two packages were also removed from PyPI, either by the registry admins or by authors.
Public open source code repositories play a crucial role in the software supply chain that many organisations use to create applications. As a result, they have become an attractive target for hackers looking to spread malware widely.
As a result, researchers believe more inspection and mitigation measures should be put in place.
In May, researchers found a malicious package that was submitted to the popular PyPI repository for Python application developers and was used to distribute Cobalt Strike on Windows, macOS, and Linux systems.
In March, more than 200 malicious packages that attempted to target Azure developers to steal personal identifiable information were removed from npm JavaScript repository.