View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
December 13, 2022updated 14 Dec 2022 10:47am

PyPI and NPM code repositories targeted in ongoing ransomware attack

The campaign is delivering malware via popular coding packages on the much-used repositories. It could find its way into popular apps.

By Claudia Glover

Developers using PyPI and NPM code repositories are being targeted with ransomware. Attackers are deploying the malware using fake modules and a technique called typosquatting, that lures victims into downloading a fake and malicious piece of code. 

Code repositories targeted in ongoing ransomware campaign. (Photo by Mark_Kostich/Shutterstock)

The criminals behind the campaign are now active on leading code registry NPM, security company Phylum reports.

PyPI is the biggest code repository for the python programming language and is run by the Python Software Foundation. It hosts more than 350,000 software packages. NPM, meanwhile, is the central repository for javascript programming, and home to more than a million packages.

How the PyPi and NPM code repositories are being targeted with ransomware

The criminals lure their victims into downloading the malware using typosquatting, a form of cyberattack where malware is delivered from a file with a similar name to a popular and legitimate piece of code. In this case, the hackers are impersonating the Python Requests package on PyPI with a host of almost identically named files such as “Python Requests”.

Once downloaded, the malware causes the victim’s desktop background to change to an image controlled by the hacker that claims to be from the CIA, while encrypting files in the background.

Opening a Readme file generated by the malware shows a message from the attacker asking for $100 typically in cryptocurrency for the decryption key.

The malware deployed is called W4SP Stealer. It is capable of stealing a wide range of sensitive data including stored passwords, cookies, Discord tokens, crypto wallets, and Telegram data, among other applications.  

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Infected packages continue to be published to PyPI, software developers at Phylum are identifying them and removing them to the best of their abilities.

On the NPM code repository, it appears the criminals are using a similar tactic and typosquatting packages related to messaging app Discord.

Phylum first spotted the campaign on Friday, and an update posted earlier says it appears to still be live. “The attacker has remained active, publishing additional malware packages to PyPI,” Louis Lang, CTO of Phylum, says in a blog post about the campaign. “The attacker also appears to have cut a new release of the ransomware, and limited the supported architectures.”

Read more: Low code and intelligent automation are changing the role of IT teams

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.