Sonatype spots another PyPI package behaving badly

Sonatype has unearthed yet more malware lurking on PyPI, this time a fileless Linux nasty designed to mine Monero and using the identity of a real person to lend credibility to the package.

The package in question (now gone from the PyPI) was named "secretslib" which "describes itself as 'secrets matching and verification made easy'," according to Sonatype.

Upon closer inspection, the package actually ran a cryptominer in-memory on a Linux machine. To make matters worse, Sonatype noted that "the malicious package used the identity and contact information of a real national laboratory software engineer working for a US Department of Energy-funded lab."

A look at the library's code didn't show much to do with the matching and verification of secrets, "whatever that means," remarked Sonatype. Instead, it contained encoded instructions to download a file called "tox", ran it with sudo permissions, and deleted it after it was running.

Sonatype noted that the tox binary was stripped, with debugging information removed.

"Application developers may sometimes strip executables for legitimate reasons," Sonatype explained, "such as reducing the size of a production release before distribution.

• Boffins rate npm and PyPI package security and it's not good
• Sonatype shines light on typosquatting ransomware threat in PyPI
• RubyGems polishes security practices with multi-factor authentication push
• If you're using the ctx Python package, bad news: Vandal added info-stealing code

"But malicious actors can just as well find value from the functionality as stripping binaries could deter analysts and automated sandboxes from studying their malware as vital debugging information is removed."

In this case, while tox itself might seem innocent enough (and not necessarily trip any alarms), the binary dropped another ELF (a Linux executable) directly in memory. Not uncommon, and Linux has syscalls that enable programmers to drop files in RAM rather than writing them to disk, but trickier for antivirus software to pick-up.

The extra twist in this case was the use of the identify of an actual person to mask the malware. Combine this with the stripped Linux binary dropping a cryptominer into memory, and it all gets very interesting. Or distinctly worrying for the developer hunting for packages while dodging malware.

The good news is that Sonatype let the named engineer know about the package, which resulted in PyPI swiftly yanking it after less than 100 downloads. However, the report, and others concerning typo-squatting or poisoned packages lurking in open-source repositories, is yet another reminder that care needs to be taken when leaping upon a package that seems to do everything you need, but might also do something you definitely don't. ®