This Week in Malware - 450 Packages and a Phishing Campaign Against PyPI Maintainers

August 26, 2022 By Aaron Linskens

6 minute read time

This week in malware we discovered and analyzed 450 packages flagged as malicious, suspicious, or dependency confusion attacks.

Also, this week a phishing email campaign targeted PyPI maintainers in attempts to compromise accounts and inject malware into the registry’s packages.

Additionally, Sonatype’s director of information security explored the connection between security and procurement.

Ongoing phishing: email campaign still trying to catch PyPI maintainers unawares

An ongoing phishing attack seeks to steal PyPI maintainer credentials and lace their legitimate packages with malware.

Reportedly the first known phishing campaign against PyPI, the scheme attempts to fool maintainers into running a purported Google-implemented “mandatory validation process” or risk removal from the registry.

image2-Aug-26-2022-04-11-21-40-PM

Any unsuspecting developer who clicks through and provides credentials via a lookalike login page unknowingly exposes their packages for abuse. Hijacked versions of packages then download a malware file from a remote server.

PyPI removed affected releases, such as 'spam' (versions 2.0.2 and 4.0.2) and 'exotel' (version 0.1.6), froze compromised maintainer accounts, and removed “several hundred typosquats that fit the same pattern.” Registry admins remain in active review to identify any additional malicious releases. 

For more information, see Ax Sharma’s BleepingComputer article.

The long list of this week’s malicious packages

We caught the following this week via Sonatype’s automated malware detection system, offered as a part of Nexus Firewall:

-gzip-ize
-harseurl
-redux-forjm
3exprem
4eatstrap
5blong
5rn
5string
6jestlr
7unzp
8bula
9args
9mz
@retail-core/rds
@tanver/vulnerable-code
a
acala-launch
adm-gp
ahtts
alidurl
amelcsxe
amll
annoisd
ansiescapeks
anypoint-component-site
apollocli8ent
apollxo-clfient
apth-exists
autocomplete-core
autocomplete-ui
autoprefirx
avalanche-smart-contract-quickstart
b4lesised
bab3el-regyster
babel-plugin-transfvrm-rvntime
babel-polyflil
babel-preset-reatc
babelspolyfil
babenlcodre
babetyopes
baeltraverse
baseu64js
bconffee-script
bdesse
bdfen
bfjus
bfrf
bi9
biuill
bn.sj
bodyfpvarser
bootlstap
browsersilst
brsolve-from
bryp4t
bubird
bv4
bytebufevr
c0onje
c6lipboady
cam.flcase
canavs
ccooie
cd5
chal
changcase
chartzj
chokdazr
ckfors
cleancuss
cli-tabkle2
clicio
clipobard
clpiboard
clpiboardy
clwtab8le
cmmande
comnader
concatstr6eam
cooieparser
copressio
cozsmiconfnig
crar
create-hshs
creathash
crk
croej
crosse
crossfetkh
cruzd
crypt-osj
csbwano
csvtarse
czss
d3isellction
daas-reports-ui
daeyjds
dd3earray
deepdif
deepemrge
deepqeul
detectpert
dlscordjs
dobox
dom-seriaiizer
dowloa
drftjs
dsfcord.js
dtemv
duasynrc
eact-routre
echarjfs
eftpsd
elecrof
elfecteron
enden
endnet
enify
enm
es-int-pluginr-prettier
es68prumise
es6shi
es6shsm
es9-prhmise
eslint-plugin-reatc
eslint-plugincxst
eslsh
etg
euirejs
evelu
ex6error
exsess
extned
extratazip
f1pen
fasclck
fdig
fhlljs
fidurel
fieloader
fiet
fing-react-components
finuj
fjle4ize
foermdata
folior
follow-rdeirects
font-awesomwu
foptaweome
fqaekr
freekws-devportal-api-client-angular
fri9d-up
frontend-style-janus
fteam
futf4
gcojb
get-ior
getectort
getmeurl
getstdn
glohbh
glpsass
god-listener
goede.cl
good-listene
googleaips
grappq2
graprqltag
graymatte5r
grayq-mater
grgtgparse
gtarc-fs
gular
gulpuil
gup-conca
guzpless
gxqobal
handleqazs
hhuen
highlighjtjs
highligjt.sj
hintstaged
hlk
hogajnjs
hopk
hpathexists
htlparsevr2
http-proxy-iddlemare
http4s-proxy-aget
httrperrors
husy
i-wls
iedux
imaqge-sie
infoectin
infyl
inherigss
invairant
invariqaot
inxi
ioderits
ionvlite
irmraf
isextrt
isnon
isntall
isomorphi-cetch
isprgomise
istannl
iswpdl
itfile-saver
ivea
j8i
jasminecor
jhasj-sum
jja4de
jkhgint
jo5
joek
jquiry-uq
jsase64
jsmene
jsnwebtokn
jsouile
jszi
jusdac
jwtdecope
k0s
keyprss
kfime
koacompocse
lessoader
levl
lfj
lkodash.isequa
lliptiic
loaashmcrge
loaderuwils
lodaschisstring
lodasfhmap
lodash.isstgrng
lodash.reerghe
lodashassig
lodashdkbounce
lodashflten
lodashiequal
lodashisobjct
lodashuiq
lodasqhcamelcase
lodasr.debvuce
log-symbosllors
lowashcamelcase
lpodash-
lru-cahle
lrucacee
lzdashuniq
m5d
mafkd
markdowvnit
mcha
mdz5-ile
mefthos
mejjmemoryzs
memzizeone
mepjow
mhgrked
miemmimetyps
minimhc
mkae-dr
mkidrp
mo8x
mongdg
mongobd
mongoos
motin
mr2ge
msqsl
mugtimach
ndent
nedemqiler
nery
ni5b
ninimis
nldeuuid
noddir
nodeglp
nodmeon
normaslizecss
npm-run-lal
npomog
nunjcke
nurijfs
nutildify
o7nyfinished
oaut
objebtassign
oc8etio
odash.fareach
odashes
odashthrottle
odecache
odeforge
ogsymbos
ojment
om-helers
onfiished
ood-listener
opstimlst
oug-cookie
pasrsw5
path-to-reugep
paymentsos-types
pfstcgss
pgifo
pgu
pjrodpts
plis
pm-conf
pop9erwjs
poppejs
poscssloader
pplitu2
ppp-types
pretyms
prmytrs
proptyps
prtetier
psaqko
pslx
qeralport
qlux
qmt
qngular-animane
qtt
quewynstring
r2act
ractnative
rawoader
rbsove
rdeepgextend
rdis
reachelmet
reacta-ollo
readabl-steam
readle-stream
reamd
reatstra5p
recas
rect-do
redux-cations
rescet
rjammda
ro8edis
rollup-plugin-lnode-desolve
rollup-pluginuls
rollup-pugin-babek
rqeue
rsckjs
rstify
ruglp
rwvoloe
rx3egexp
rzedux-thunak
rzxvgs-test
rzxvgsv1
rzxvgsvs
rzxvgsvv
s3en
sa-dashboard
sass-loadre
sass-lwadeoq
se4raverse
semantic-u-resct
semre
senbg
sequxeliwz
seuzelizke
sfebuffer
sfit
sh0rtiwd
shint
slughifvy
socket.ioo-cient
socket.oi
soudl
sprin0f
sqwli3
srve-favico
ss-loaoer
ss2
stcak-trace
strip-json-combmentd
strip-nasi
style-componenx
stylleint
suer
suhallowexqual
supoertes
swlenium-wkebdriver
sysezjs
t4peork3m
tdype-si
terser-ebrpack-plugin
thgroukgg
thts
tioredks
tld5ify
tldyfy
traecr
trcer
trin-glob
ts--ptp
tsli
tslnit
umreral
unist-utilu-4visit
uraib
url-w.parse
userhme
utia
uwrljoin
uwrnng
validaqr
vazliwd-url
vbtgoa
ve-loaer
vinyl-sf
vniyl-fs
vue-style-gloder
vuez-template-compile
weback
webb3
webn5ack
webpack-cil
whn
xeedlx
xgzgexp
xlj2s
xmdzdom
xml2jsno
xten
yargs-parxe
yunt
zyamkljs

These discoveries follow our report last week of dependency confusion PoCs and typosquats dropping malicious cryptominers. 

Additionally, last week Ax Sharma published a deep dive into 200+ malicious cryptomining packages that flooded npm and PyPI registries.

Turn on Nexus Firewall for Automatic Protection

As a DevSecOps organization, we remain committed to identifying and halting attacks, such as those mentioned above, against open source developers and the wider software supply chain.

Users of Nexus Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.

A flowchart representation of how Nexus Firewall works

Nexus Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in progress, thereby keeping your software supply chain protected from the start. 

Sonatype’s world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.

Tags: vulnerabilities, PyPI, malware prevention, DevZone, This Week in Malware

Written by Aaron Linskens

Aaron is a technical writer on Sonatype's Developer Relations team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they can build the right software.