At least 241 malicious npm and PyPI packages have been spotted dropping cryptominers after infiltrating Linux machines. A majority of these packages are typosquats of widely used libraries, and each one of them downloads a Bash script on Linux systems that run cryptominers. Some of the open-source libraries and commands that the hackers copied include Reacy, argparse, and AIOHTTP.

Key observations

  • At least 33 packages on PyPi were observed installing crypto mining software XMRig following a Linux system infection.
  • The threat actor published another set of 22 packages with the same malicious payload, targeting Linux systems and installing the cryptomining software.
  • The Python packages contain code that downloads the Bash script from the threat actor's server.
  • Upon execution, the script notifies the threat actor of the IP address of the compromised host and whether the deployment of cryptominers succeeded.

How are the packages identified?

  • The malicious packages were found through a developer and researcher’s side project called the Package Observatory Club, which queries and stores metadata about all new packages uploaded to PyPI and runs some heuristics. In case any package looked suspicious enough, the project alerted the researcher.
  • Just last week, Sonatype spotted 186 malicious packages flooding the npm registry that infect Linux hosts with cryptominers by downloading a malicious Bash script from the threat actor's server.

Similar incidents

  • PyPi packages target Counter-Strike servers: A dozen malicious Python packages were uploaded to the PyPi repository last weekend to conduct a typosquatting campaign that attacks Counter-Strike 1.6 servers with DDoS attacks.
  • PyPi packages steal developer credentials: In early August, threat analysts discovered 10 malicious Python packages on the PyPI repository, used to infect developers' systems with password-stealing malware.


With the latest incident, open-source repositories, specifically PyPi and npm, are being used repeatedly to target Linux and Windows users. The aim is to drop malicious code and take over the victim's system to mine cryptocurrency. Despite various security enhancements and new features in place, threat actors have gained momentum in the last three weeks, with multiple attacks carried out.
Cyware Publisher