An apparently school-age hacker from Verona, Italy, has become the latest to highlight why developers must be cautious about what they download from public code repositories these days.
As an experiment, the teenage hacker recently posted many malicious Python packages containing ransomware programmes to the Python Package Index (PyPI).
The packages' names were "requesys," "requesrs," and "requesr," which are all typical misspellings of "requests," a valid and extensively used HTTP library for Python.
According to the Sonatype researchers who discovered the malicious code on PyPI, one of the packages (requesys) was downloaded around 258 times — probably by developers who made typographical errors when attempting to download the genuine "requests" package.
The bundle included scripts for exploring directories such as Documents, Pictures, and Music.
One version of the requesys package included plaintext Python encryption and decryption code. However, a later version included a Base64-obfuscated executable, making analysis more difficult, according to Sonatype.
Developers whose systems were encrypted received a pop-up notice urging them to contact the package's author, "b8ff" (aka "OHR" or Only Hope Remains), on his Discord channel for the decryption key. According to Sonatype, victims were able to receive the decryption key without having to pay for it.
"And that makes this case more of a gray area rather than outright malicious activity," Sonatype concludes.
Information on the hacker's Discord channel shows that at least 15 victims had installed and run the package.
According to the company, Sonatype identified the virus on July 28 and promptly reported it to PyPI's authorities. Two of the packages have subsequently been deleted, and the hacker has renamed the requesys package so that developers do not confuse it with a valid programme.
"There are two takeaways here," says Sonatype's Ankita Lamba, senior security researcher. First and foremost, be cautious while spelling out the names of prominent libraries, as typosquatting is one of the most prevalent malware attack tactics, she advises.
Second, and more broadly, developers should always use caution when obtaining and integrating packages into their software releases. Open source is both a necessary fuel for digital innovation and an attractive target for software supply chain threats, explains Lamba.
Following the newest finding, Sonatype researchers contacted the creator of the malicious code and discovered him to be a self-described school-going hacker who was evidently fascinated by exploits and the simplicity with which they might be developed.
According to Lamba, b8ff assured Sonatype that the ransomware software was totally open source and part of a hobby project.
"As they are a school-going 'learning developer,' this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray," Lamba says. "The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was."
