Malware campaign targets official Python and JavaScript repos

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


An active malware campaign is targeting official Python and JavaScript repositories.

Software supply chain security firm Phylum spotted the campaign. Phylum said that it discovered the campaign after noticing a flurry of activity around typosquats of the popular Python requests package.

Typosquats take advantage of simple typos to install malicious packages.

In this case, the PyPI typos include: dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnservrr, and tequests.

Phylum later discovered the attacker publishing the following NPM packages that also take advantage of typosquatting: discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr.

As clones of the official libraries, they often go unnoticed until it’s too late.

Dependent on the OS of the victim’s device, this particular malware downloads a relevant Golang binary. When executed, the desktop background of the victim’s computer is updated with a fake CIA image and the malware will attempt to encrypt some files.

A README file is placed by the malware on the desktop that asks the user to contact the individual on Telegram and pay “a small fee of $100” in BTC, ETH, LTC, or XMR. Failing to do so will result in the deletion of the decryption key, the attacker claims.

According to Phylum, the attack is ongoing (as of 13 December 2022) but a new version of the ransomware has been released that has also limited the supported architectures.

(Photo by engin akyurt on Unsplash)

Related: Syntax error breaks KmsdBot cryptomining botnet

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *