"School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project"
A school-age hacker from Verona, Italy, has highlighted why developers must be cautious about what they download from public code repositories. As an experiment, the young hacker uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI). The packages' names were "requesys," "requesrs," and "requesr," which are all common misspellings of "requests," a legitimate and widely used HTTP library for Python. According to researchers at Sonatype who discovered the malicious code on PyPI, one of the packages (requesys) was downloaded approximately 258 times, presumably by developers who made typographical errors when attempting to download the genuine "requests" package. The package included scripts for traversing and encrypting Windows folders such as Documents, Downloads, and Pictures. One version of the "requesys" package included plaintext Python encryption and decryption code. However, a later version included a Base64-obfuscated executable, making analysis more difficult. The incident is one of a growing number of recent instances in which threat actors have planted malicious code in widely used software repositories in order to convince developers to download and install it in their environments. Some of them have involved typosquatted packages or malware with similar sounding names to legitimate software on public software repositories, such as the most recent incident. For example, in May, Sonatype discovered that 300 developers had downloaded a malicious package called "Pymafka" from the PyPI registry, mistaking it for "PyKafka," a legitimate and widely downloaded Kafka client. This article continues to discuss the uploading of ransomware scripts to the PyPI repository by a school kid and the growing number of instances of malicious code in repositories.
Dark Reading reports "School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project"