Three Packages Targeting Linux with Crypto Miners Found in Python's 'PyPi' Repository

An anonymous reader shared this report from The Hacker News:
Three new malicious packages have been discovered in the Python Package Index (PyPI) open-source repository with capabilities to deploy a cryptocurrency miner on affected Linux devices.

The three harmful packages, named modularseven, driftme, and catme, attracted a total of 431 downloads over the past month before they were taken down...

The malicious code resides in the __init__.py file, which decodes and retrieves the first stage from a remote server, a shell script ('unmi.sh') that fetches a configuration file for the mining activity as well as the CoinMiner file hosted on GitLab. The ELF binary file is then executed in the background using the nohup command, thus ensuring that the process continues to run even after exiting the session. 'Echoing the approach of the earlier 'culturestreak' package, these packages conceal their payload, effectively reducing the detectability of their malicious code by hosting it on a remote URL,' said Fortinet FortiGuard Labs researcher Gabby Xiong. 'The payload is then incrementally released in various stages to execute its malicious activities.'

Read more of this story at Slashdot.