informa
4 min read
article

School Kid Uploads Ransomware Scripts to PyPI Repository as 'Fun' Project

The malware packages had names that were common typosquats of a legitimate widely used Python library. One was downloaded hundreds of times.

An apparently school-age hacker based in Verona, Italy, has become the latest to demonstrate why developers need to pay close attention to what they download from public code repositories these days.

The young hacker recently uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI), supposedly as an experiment.

The packages were named "requesys," "requesrs," and "requesr," which are all common typosquats of "requests" — a legitimate and widely used HTTP library for Python.

According to the researchers at Sonatype who spotted the malicious code on PyPI, one of the packages (requesys) was downloaded about 258 times — presumably by developers who made typographical errors when attempting to download the real "requests" package. The package had scripts for traversing folders such as Documents, Downloads, and Pictures on Windows systems and encrypting them. 

One version of the requesys package contained the encryption and decryption code in plaintext Python. But a subsequent version contained a Base64-obfuscated executable that made analysis a little harder, according to Sonatype.

An Absence of Malice?

Developers who ended up with their system encrypted received a pop-up message instructing them to contact the author of the package — "b8ff" (aka "OHR" or Only Hope Remains) — on his Discord channel, for the decryption key. Victims were able to obtain the decryption key without having to make a payment for it, Sonatype says.

"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes. Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package.

Sonatype discovered the malware on July 28 and immediately reported it to PyPI's administrators, the company says. Two of the packages have since been removed and the hacker has renamed the requesys package, so developers no longer mistake it for a legitimate package.

"There are two takeaways here," says Ankita Lamba, senior security researcher, at Sonatype. "First, be cautious when typing out the names of popular libraries, as typosquatting is one of the most common attack methods for malware," she says.

Second and more broadly, developers should always be cautious about what they’re downloading and what packages they’re incorporating into their software builds. "Open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks," Lamba says.

Growing Number of Malicious Code in Repositories

The incident is among a growing number of instances recently in which threat actors have planted malicious code in widely used software repositories, with the goal of getting developers to download and install it in their environments. 

Some of them — like the latest incident — have involved typosquatted packages, or malware with similar sounding names as legitimate software on public software repositories. In May, for instance, Sonatype found that some 300 developers had downloaded a malicious package for distributing Cobalt Strike called "Pymafka" from the PyPI registry, thinking it was "PyKafka," a legitimate and widely downloaded Kafka client. 

Also in May, Sonatype discovered another malicious package on PyPI called "karaspace," used for stealing system information, that had the same name as a legitimate Kafka project on GitHub.

In July, researchers at Kaspersky discovered four information-stealing packages in the Node Package Manager (npm) repository. The same month, ReversingLabs reported finding some two-dozen, heavily obfuscated npm modules for stealing data that had been downloaded more than 27,000 times. The vendor estimated the malicious packages were likely installed in hundreds — and likely even thousands — of mobile applications and websites.

Security researchers have pointed to the trend as heightening the need for organizations to pay closer attention to their software supply chains — especially when it comes to using open source software from public repositories such as PyPI, npm, and Maven Central.

A "Fun" Research Project

Following the latest discovery, researchers at Sonatype contacted the author of the malicious code and found him to be a self-described school-going hacker apparently intrigued by exploits and the ease of developing them.

Lamba says b8ff told Sonatype that the ransomware script was completely open source and part of a project that he had developed for fun.

"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."