Ransomware contained in typosquat Python scripts
Researchers at Sonatype have identified multiple malicious Python packages that contain ransomware scripts.
The packages are named after a legitimate, widely known library called 'Requests', with names like 'requesys', 'requesrs' and 'requesr', in order to trick developers into installing the wrong version.
Ax Sharma, senior security researcher at Sonatype, writes on the company's blog, "While incidences of malware infiltrating open source repositories are hardly surprising, as we've repeatedly seen, it's not often we come across open source packages dropping ransomware. Last we saw this was in 2021 when we spotted npm typosquats launching MBRLocker ransomware."
Analysis shows that versions of the 'requesys' package contain scripts that traverse a Windows user's folders, such as Documents, Downloads and Pictures and begin encrypting files.
What's interesting is that once encryption has taken place a message is displayed pointing the victim to the malware author's Discord server where a decryption key is available for free. This makes the motivation behind the malware seem rather unclear.
The research shows the 'requesys' package has been downloaded over 250 times, though the Discord channel shows only 15 messages with encryption keys.
In another quirky feature the research found that the malicious script will only run if your Windows PC username is not 'GIAMI', suggesting that this is the name of the malware author's system.
Sonatype approached the author of 'requesys' -- who seems to be an Italian student -- via Discord and was told, the script is "completely open source" and part of a "project that I developed for fun", adding "I was surprised to see how easy it was to 'create' this exploit and how interesting it was".
The 'requesys' package has since been renamed to prevent anyone else falling victim.
You can read more on the Sonatype blog.