Ransomware campaign targets popular open-source packages with cleverly hidden payload
December 12, 2022 – Published on SC Magazine
An ongoing ransomware campaign hides its payload in an uncommon way by targeting popular open-source packages that typically receive nearly 15 million installations per week, according to new findings by Checkmarx and Phylum.
In a blog post, Checkmarx researchers said the campaign uses a form of typosquatting to target the popular “requests” package on Pypi and the “discord.js” package on NPM, and includes embedded ransomware. When executed, the ransomware encrypts files on the victim’s computer and demands payment of $100 in cryptocurrency to unlock them.
The malware payload supports multiple operating systems, allowing the campaign to target a wider audience. In addition, attackers named the ransomware messages and infrastructure after the U.S. Central Intelligence Agency.
Kristen Bell, director of application security at GuidePoint Security, said she expects a rise in ransomware within the open source in the upcoming months.
“Both ransomware and open-source attacks are on the rise, so it is not surprising to see them being combined,” Bell told SC Media in an email.
Read More HERE.