Developers using PyPI and NPM code repositories are being targeted with ransomware. Attackers are deploying the malware using fake modules and a technique called typosquatting, that lures victims into downloading a fake and malicious piece of code.
The criminals behind the campaign are now active on leading code registry NPM, security company Phylum reports.
PyPI is the biggest code repository for the python programming language and is run by the Python Software Foundation. It hosts more than 350,000 software packages. NPM, meanwhile, is the central repository for javascript programming, and home to more than a million packages.
How the PyPi and NPM code repositories are being targeted with ransomware
The criminals lure their victims into downloading the malware using typosquatting, a form of cyberattack where malware is delivered from a file with a similar name to a popular and legitimate piece of code. In this case, the hackers are impersonating the Python Requests package on PyPI with a host of almost identically named files such as “Python Requests”.
Once downloaded, the malware causes the victim’s desktop background to change to an image controlled by the hacker that claims to be from the CIA, while encrypting files in the background.
Opening a Readme file generated by the malware shows a message from the attacker asking for $100 typically in cryptocurrency for the decryption key.
The malware deployed is called W4SP Stealer. It is capable of stealing a wide range of sensitive data including stored passwords, cookies, Discord tokens, crypto wallets, and Telegram data, among other applications.
Infected packages continue to be published to PyPI, software developers at Phylum are identifying them and removing them to the best of their abilities.
On the NPM code repository, it appears the criminals are using a similar tactic and typosquatting packages related to messaging app Discord.
Phylum first spotted the campaign on Friday, and an update posted earlier says it appears to still be live. “The attacker has remained active, publishing additional malware packages to PyPI,” Louis Lang, CTO of Phylum, says in a blog post about the campaign. “The attacker also appears to have cut a new release of the ransomware, and limited the supported architectures.”