"New Ransomware Strain Discovered Lurking in Open-Source Packages"

Checkmarx and Phylum detailed a typosquatting campaign aimed at the NPM and PyPI package managers. This campaign includes embedded ransomware and targets the popular "requests" package on PyPI and the "discord.js" package on NPM. When the ransomware is executed, it changes the desktop background, encrypts files, and leaves a file requesting $100 in cryptocurrency in exchange for the decryption key. Unlike most open-source attacks, the payload is only executed when the infected function is called, allowing the threat actor to avoid detection by many security scanners. The payload is compatible with multiple operating systems, allowing the campaign to reach a broader audience. While NPM has a mechanism in place to detect typosquatting packages, the threat actor can circumvent it by employing different naming techniques. The researchers discovered several indicators that point to the attacker being Russian. The Telegram user account linked to the attack, for example, has a Russian phone number, and the attacker was able to respond to messages in Russian. These attacks show that cyberattackers have been focusing their attention on the open-source package ecosystem. The researchers believe this trend will only accelerate in 2023, forcing developers and organizations to implement appropriate controls. The fight against threat actors who seek to contaminate the software supply chain ecosystem remains a challenge as attackers continue to evolve and use novel and unexpected techniques. This article continues to discuss the new ransomware strain found in open-source packages. 

Medium reports "New Ransomware Strain Discovered Lurking in Open-Source Packages"