Three new malicious packages with the ability to distribute a cryptocurrency miner to affected Linux devices have been discovered in the Python Package Index (PyPI) open-source repository. The three harmful packages, named Modularseven, driftme, and catme, were downloaded a total of 431 times last month before being removed.
The malicious code is found within a shell script (“unmi.sh”) that decrypts the code of a remote server and initiates the first stage in the init.py file, which hosts a configuration file for mining activity as well as the CoinMiner file. The ELF binary file is then executed in the background using the nohup command, ensuring that the process continues to run even after the session has ended.
