This week in malware, highlights include an influx of hundreds of dependency confusion packages with diverse targets and a 'python-dateutils' PyPI package that attempts to typosquat the vastly known Python module, dateutil.
python-dateutils cryptominer targets Windows, Linux, macOSYou've probably heard of the Python module 'dateutil'. The module offers powerful extensions to the standard datetime library; extensively used by Python developers. This week, however, Sonatype's automated malware detection system caught a suspicious PyPI package called 'python-dateutils' that mines Monero (XMR) cryptocurrency on your system — whether Windows, Linux, or macOS, and steals AWS credentials.
There is also some indication that in the past 'python-dateutils' could have been a legitimate library used by developers [1, 2]. But, versions of 'python-dateutils' caught by us this week are malicious.
Check out the detailed analysis in the dedicated blog post.
345+ dependency confusion packages caught
This week's findings involving dependency confusion candidates (npm and PyPI) include upwards of 345 packages:
0x-fee-wrapper-contract
1uphealth-demo-web-app
@3p-future-solutions/ember-cui
@amplify-components/amplify-table
@loomble/cspell-dictionary
@pagetour/ember-cui
@pagetour/sdk
CureIAM
acrtransfer
action-create-release-pr
action-prebuildify
action-publish-gh-pages
action-require-additional-reviewer
adelphi-api
agoric
agoric-sdk
agoric-servers
akita-docs
alntorch
alpaca-oas
andandand
app-types
apps-showcase
appsec-event-rules-tools
ashion-ingest
assign-issue
assign-pr
astrajs
atlas-link-checker
atomic-angular
atomic-next
attention-editor
azext-acrtransfer
azext-datashare
azfuse
azure-basic-sample
azure-directives-sample
azure-key-credential-sample
azure-mgmt-sample
azure-multiapi-sample
babel-plugin-remove-jsx-empty-expression
babel-preset-es201
bakabaka0010
bakaman
bevel
bitmex-easy-data-scripts
blockchain-classic-wallet
blockchain-wallet-ios
boilerplate-fig-autocomplete
btcspendfrom
cdcrep-docs
cg-trace
chain-desktop-wallet
channel-websocket
cleansheet
cli-e2e
client-sdk-contract-tests
cloudflare-docs
cloudflare-docs-engine
cloudinary-sample-angular
collection-events-discord-webhook
com.natw.secret_store_example
conduit-view
connectedvmware
consideration-deploy-bot
contentsource-connector
contract-metadata
contributor-site
create-sprinklr-app
crypto-com-chain-wallet
cs-task-runner
custom-pages-react-boilerplate
cvent-web-components
cx-api
cxf-plugins
dapp-inter
dapp-inter-agservers
dapp-inter-ui
dash-generator-test-component-standard
dassl
datadog-agent
datadog-agent-github-action
datadog-app
datadog-app-example-random-dog-dog-image-widget
datadog-app-example-sentiment
datadog-app-example-stream-admin
datadog-app-sentiment
datadog-app-stream-admin
datadog-app-template
datadog-cert-manager
datadog-checks
datadog-datadog_agent
datadog-filebeat
datadog-fluentbit
datadog-hbase-regionserver
datadog-jfrog-platform
datadog-php-apcu
datadog-php-opcache
datadog-pihole
datadog-portworx
datadog-reboot-required
datadog-redis-sentinel
datadog-redisenterprise
datadog-stardog
datadog-synthetics-github-action
datashare
dd-opentracing-cpp
dd-sdk-reactnative-example
decisionai-plugin
demo-store
dev-wallet
diiagrams
discord-badazera
discount-functions-sample-app
discourse-prepend-tags-in-topic-slug
djangobench
do-worker
docu-scilla
doom-workers
doom-workers-site
dummy_app
elementor.developers
en-conduit-electron-shared
en-conduit-plugin-in-app-purchasing
en-conduit-schema
en-conduit-sync
en-native-reg
en-thrift-internal
epam-assets
epam-promo
erc-1155
eth-faucet
ethers-js-snap
ethmoji-js-demo
euscp
evernote-client
evernote-thrift
example-api-routes
example-data-fetching
example-google-analytics
example-rust
example-typescript
eyeglass-embroider-app
files_pdfviewer
flipper-plugin-ribtree
fluentbit
flyteidl-flink
forthic
front-channel-template
frontegg
frontegg-angular
frontegg-template-app
fsbrowser
gamdist
gatelogic
generator-connection
git-dependency-maker
git-gatsby
gitreader
go-ml-transpiler
gojek
gym-pow
hackerone
heft-component-rig
helix-contentsource-connector
helix-rum-collector
helix-run-query
helix-slack-notification
helix-status-service
helloreactnative
hydrogen-monorepo
iframe-execution-environment
integration-framework
intercom-react-native-example
intercom-react-native.podspec
invalid-dependency
io.intercom.cordova.sample
katt-player
klio-it-read-bq-write-bq
launchdarkly
launchdarkly-api-typescript-sample
launchdarkly-cloudflare-worker-template
layoutlm
layoutlmv3
libwebp
lightweight-charts-3.8
loading-manifest
log-dqn
manualtestapp
mapray-js-monorepo
masked-conv2d-cuda
material-ui-plugin-styles-provider-cache
material-ui-plugin-theme-provider-cache
matic-docs
mattermost-plugin-calls
mattermost-plugin-playbooks
megaman-007mega
megamanza
merlin-pyspark-app
metadata-api-nodejs
metadata-service
metamask
metamask-docs
metamask-state-log-explorer
middleware-serde
miew-ap
miew-cli
minicom-node
minis-samples
mode-notebook-assets
module-worker
multi-event-input-batch
multisig-wallet-generator
mymegamanz
ncg
nerve-tools
new-npm-packages
nft-tickets-workshop
nft-tutorial
nishant-ok-angularjs
nnabla-browser
nodejs-driver
nose-advancedlogging
npm-mega
ns-help
oemreactsample
omm-frontend
onnxruntime-olive
opensea-creatures
opensea-erc1155
opensea-ships-log
osci
osmosis-frontend
pages-plugins
pagespeed-server
pcln-types
pcstac
petstoreinc
plasma-website
platform-client
polaris-for-figma
polaris-for-vscode
prerelease-registry
procore-sample-ror
proof-generation-api
propagation-b3
pulsar-sink-docs
purple_team_midway_cenario_1
purple_team_midway_cenario_2
purple_team_midway_teste_cenario_1
purple_team_midway_teste_cenario_2
pyfunc-ensembler-job
pyfunc-ensembler-service
pyfuncserver
pyis-onnx
pyis-python
pyis-torc
react-datepicker-docs
react-jesting-library
react-ldclient-default-values
react-native-performance-monorepo
redux-data-model-documentation
region-info
remote-ui
reorgs-frontend
research.cloudflare.com
rnskia
roblox-wrapper
rpe-index
ruby-style-guide
rust-docs
rust-functions
rv-modal-store
sample-mini
scratch-resources
scratch-www
sdk-release
sdk_repl_app
sentry-cloudflare-access-auth
separatecalculatingbinary
service-error-classification
share-service-client
shared-ini-file-loader
shopify-cli-extensions-test-utils
shopify-frontend-template-react
shopify-internal
shopify-marketplaces-buyer-app
shoppedemo
slack-notification
slg-shared-utils
slg-vue-components
slint-config-nodejs
smoooth-merchant
snapcanvas-sdk
spaces-design
spotify-tensorflow-dataflow
sprinklr-app
stargate-docs
starter-react-frontend-app
stone.backends
stone.backends.python-rsrc
stone.frontend
stone.ir
stpyv8
synapse-tools
template-snap-monorepo
test-async-config
test-server-components
th-simple-keyring
theme-whale-light
thisisourgoal
thisisourgoal1
timebase-client
timebase-web-admin
tipsextension
tomtom-rk
tracdjangoplugin
tronweb2
twofactor_totp
typescript-snap
ui-extensions-dev-console-app
upgrade-challenge
upload-dsyms-github-action
util-utf8-browser
v3-monorepo
visualization-shopify-tools
vuestic-admin
wad-workshop-starter
wallet-options
wasm-bindgen
web-scripts-monorepo
web-sdk-mono-repo
webpack-vue-config
whistletips
whitehacker003
workers-airtable-form
workers-airtable-form-handler
workers.cloudflare.com
workerskv.gui
wwi-app
xp-ui
yelp-internal
yelp-schema-design
zcli-monorepo
zilliqa
Sonatype Repository Firewall users remain protected
This discovery follows our earlier report of several dozen malicious packages including npm package 'flame-vali' that attempted to disable Windows Defender multiple times before dropping a trojan.
Sonatype remains at the forefront of timely discoveries and reporting attacks targeting OSS developers, like the ones discussed above.
Users of Sonatype Repository Firewall can rest easy knowing that such malicious packages would automatically be blocked from reaching their development builds.
Sonatype Repository Firewall instances will automatically quarantine any suspicious components detected by our automated malware detection systems while a manual review by a researcher is in the works, thereby keeping your software supply chain protected from the start.
Sonatype's world-class security research data, combined with our automated malware detection technology safeguards your developers, customers, and software supply chain from infections.
Written by Ax Sharma
Ax is a Staff Security Researcher & Malware Analyst at Sonatype with a penchant for open source software. His works and expert analyses have frequently been featured by leading media outlets including the BBC. Ax's expertise lies in security vulnerability research, reverse engineering, and cybercrime investigations. He has a passion for educating a wide range of audiences through writing and vlogs.
Explore All Posts by Ax Sharma