Cybersecurity (opens in new tab) researchers recently discovered half a dozen typosquatting packages in the official PyPI repository of the Python (opens in new tab) programming languages that contained cryptomining (opens in new tab) malware.
The discovery was made by software supply chain automation and security provider Sonatype, which found six malicious packages (opens in new tab) that used slight variations in the names of popular Python packages to capitalize on users’ spelling mistakes.
In all, the six counterfeit packages garnered over 5000 downloads, once again highlighting the threat to software supply chains.
- These are the best endpoint protection tools (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- Check our list of the best firewall apps and services (opens in new tab)
“Our analysis tools are consistently catching and blocking counterfeit and malicious software components before they strike modern software supply chains,” writes Sonatype security researcher, Ax Sharma.
Supply chain attacks
Sharma’s analysis shows the fake packages were all submitted by the same author, some dating as far back as April 2021.
This isn’t the first time malicious users have managed to infuse dubious packages inside PyPI, and Sonatype argues it won’t be the last, however unfortunate that might sound.
While they shouldn’t be taken lightly, the revelations can quickly turn ugly when viewed in context of the recent Veracode finding (opens in new tab) that suggests a majority of developers (opens in new tab) never update third-party open source (opens in new tab) libraries after including them in a codebase.
- Protect your devices with these best antivirus software (opens in new tab)