Counterfeit PyPI packages discovered #Python @arstechnica

Counterfeit packages downloaded roughly 5,000 times from the official Python repository contained secret code that installed cryptomining software on infected machines, Ars Technica reports.

The malicious packages, which were available on the PyPI repository, in many cases used names that mimicked those of legitimate and often widely used packages already available there, Ax Sharma, a researcher at security firm Sonatype reported. So-called typosquatting attacks succeed when targets accidentally mistype a name such as typing “mplatlib” or “maratlib” instead of the legitimate and popular package matplotlib.

Sharma said he found six packages that installed cryptomining software that would use the resources of infected computers to mine cryptocurrency and deposit it in the attacker’s wallet. All six were published by someone using the PyPI username nedog123, in some cases as early as April. The packages and download numbers are:

  • maratlib: 2,371
  • maratlib1: 379
  • matplatlib-plus: 913
  • mllearnlib: 305
  • mplatlib: 318
  • learninglib: 626

The malicious code is contained in the setup.py file of each of these packages. It causes infected computers to use either the ubqminer or T-Rex cryptominer to mine digital currency.

Read more in the article here.


8-6-2021 (August 6, 2021) is the Snakiest day of the year and it’s also this year’s CircuitPython Day! The day highlights all things CircuitPython and Python on Hardware. See you there!

Stop breadboarding and soldering – start making immediately! Adafruit’s Circuit Playground is jam-packed with LEDs, sensors, buttons, alligator clip pads and more. Build projects with Circuit Playground in a few minutes with the drag-and-drop MakeCode programming site, learn computer science using the CS Discoveries class on code.org, jump into CircuitPython to learn Python and hardware together, TinyGO, or even use the Arduino IDE. Circuit Playground Express is the newest and best Circuit Playground board, with support for CircuitPython, MakeCode, and Arduino. It has a powerful processor, 10 NeoPixels, mini speaker, InfraRed receive and transmit, two buttons, a switch, 14 alligator clip pads, and lots of sensors: capacitive touch, IR proximity, temperature, light, motion and sound. A whole wide world of electronics and coding is waiting for you, and it fits in the palm of your hand.

Join 30,000+ makers on Adafruit’s Discord channels and be part of the community! http://adafru.it/discord

Have an amazing project to share? The Electronics Show and Tell is every Wednesday at 7pm ET! To join, head over to YouTube and check out the show’s live chat – we’ll post the link there.

Join us every Wednesday night at 8pm ET for Ask an Engineer!

Follow Adafruit on Instagram for top secret new products, behinds the scenes and more https://www.instagram.com/adafruit/

CircuitPython – The easiest way to program microcontrollers – CircuitPython.org


Maker Business — Over 500,000 manufacturing jobs are going unfilled

Wearables — Stop the sweat

Electronics — Hummm… 60Hz noise in your amplifier driving you nuts?

Python for Microcontrollers — Python on Microcontrollers Newsletter: EuroPython 2021, CircuitPython 7.0.0 alpha 5 and more! #Python #Adafruit #CircuitPython @micropython @ThePSF

Adafruit IoT Monthly — Smart Agriculture, an E-Ink Newspaper, and more!

Microsoft MakeCode — MakeCode for the micro:bit - 2021 Release!

EYE on NPI — Maxim’s Himalaya uSLIC Step-Down Power Module #EyeOnNPI @maximintegrated @digikey

New Products – Adafruit Industries – Makers, hackers, artists, designers and engineers! — NEW PRODUCTS – Silicone Keycap Molds – MX Compatible Switches

Get the only spam-free daily newsletter about wearables, running a "maker business", electronic tips and more! Subscribe at AdafruitDaily.com !



No Comments

No comments yet.

Sorry, the comment form is closed at this time.