"SSH Keys Stolen by Stream of Malicious PyPI and npm Packages"

Malicious npm and PyPI packages have been discovered stealing sensitive data from software developers. The campaign, which started on September 12, 2023, was first found by analysts at Sonatype, who discovered 14 malicious packages on npm. According to Phylum, following a brief operational hiatus on September 16 and 17, the attack continued and extended to the PyPI ecosystem. The attackers have uploaded 45 packages to npm (40) and PyPI (5) since the beginning of the campaign, with code variations suggesting a rapid evolution of the attack. The malicious packages made use of typosquatting to resemble popular legitimate packages, which can deceive developers into installing them. This article continues to discuss the recently discovered stream of malicious npm and PyPI packages.

Bleeping Computer reports "SSH Keys Stolen by Stream of Malicious PyPI and npm Packages"

Submitted by grigby1