Malware in registries appears to be on the rise. Last week, a security researcher, Hauke Lübbers, revealed 33 projects on PyPI containing XMRig, an open-source Monero cryptominer. Despite the fact that the packages were swiftly taken down by PyPI admins, Sonatype, a software supply chain management company, discovered copies of the packages that contained the malicious scripts.

The projects Lübbers discovered were mostly misspellings of well-known packages like React, argparse, and AIOHTTP. Additionally, Sonatype's automated malware detection platform discovered 186 npm typosquatting packages flooding the npm registry, which the company believes were published by the same threat actor. Lübbers later discovered that the same threat actor distributed an additional 22 PyPI packages containing the same malicious payload.

When installed by developers, the scripts notify the threat actor of an IP address of the compromised host as well as the status of cryptomininer deployment. In total, more than 241 malicious npm and PyPI packages containing cryptominers have been discovered, targeting Linux machines.

Lübbers published his discoveries on Twitter, while you can find a complete list of malicious packages identified by Sonatype in their full report. Malware continues to be a growing threat to the developer community, but we can take solace in the fact that registries are quick to respond, removing all affected packages as soon as they are notified. However, we cannot emphasise enough how important it is for developers who rely on open-source scripts in PyPI and npm to exercise caution when installing something.