This Week in Malware — Typosquats in PyPI, dependency confusion packages

August 04, 2022 By Hernán Ortiz

2 minute read time

Two chains linked by a shoelace creating a vulnerable system

This Week in Malware we discovered 50 packages that are either malicious or dependency confusion attacks.

Here’s a list for reference:

allcolorsnaheda
bitmovin-internal
chawla-init-3
colors-pic
core-jasmine
core-support-bundler
crashtravel-utilities
ctv-appletv3-router
ctv-tachyon-wrapper
datalake-data-access
devex-apollo-test
discord-cdz
discord.cln
dkjgadkasdhasdhasduasdbascnmzxcahjsfguaskjasgjdk
dolph-db
dolphdb
dorimedepen
each-os
eslint-plugin-internal
gateway-discord
gd-app-install
lwc-playground
matchmaking-mgmt
modernzr
mongodb-stitch-browser-testutils
mozi-metrics
myfirstdependencywithserver
nahedasamics
nahedasamicss
net-os
netflow-os
ol3
pod-publishing-test
politeiagui-scripts
postman-echo-nock
privateinternalserver
protons-benchmark
requesr
requesrs
requesys
selfcoloramas
sonatype-2022-4388 - pplogger-paypal
stringjs_lib
test-for-virus-spook
testdorime
video-live-config
wm-accounts-auth-core
wm-accounts-sdk
Xo-twofa
ys-mozi-metrics

Ransomware scripts in PyPI

Three of the listed packages are typosquatting attacks in Python. In this case, the attacker is mimicking the name of a widely known library called 'Requests', expecting that developers will accidentally download the malicious packages instead of the legitimate ones. If you're a developer and you don't type the correct name, there's a possibility that you end up downloading packages that contain ransomware scripts.

Read our blog post for more details.

For reference, here are the names of the malicious packages:

requesys
requesrs
Requesr

image-png-Aug-01-2022-05-11-47-97-AM

Sonatype's automated malware detection system that's offered as a part of Sonatype Platform products, including Sonatype Repository Firewall, helped us discover these packages.

Turn on Sonatype Repository Firewall for automatic protection

As a DevSecOps organization, we remain committed to identifying and halting attacks against open source developers and the wider software supply chain, like the ones discussed above.

Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.

article - repo firewall flowchart

 

Tags: vulnerabilities, PyPI, malware prevention, DevZone, This Week in Malware, Sonatype Repository Firewall

Written by Hernán Ortiz

A technical writer for the DevRel team at Sonatype. Hernán has published experimental science fiction books and his work has appeared in international literary journals. You can usually find him holding a cup of Colombian coffee, listening to the latest post-punk/noise rock bands, and reading sentences aloud.