Security researchers have discovered another sizeable haul of malicious packages on the npm and PyPI open source registries, which could cause issues if unwittingly downloaded by developers.
In January, Sonatype said it found 691 malicious npm packages and 49 malicious PyPI components containing crypto-miners, remote access Trojans (RATs) and more.
The discoveries by the firm’s AI tooling brings its total haul to nearly 107,000 packages flagged as malicious, suspicious or proof-of-concept since 2019.
It includes multiple packages that contain the same malicious package.go file – a Trojan designed to mine cryptocurrency from Linux systems. Sixteen of these were traced to the same actor, trendava, who has now been removed from the npm registry, according to Sonatype.
Separate finds include PyPI malware “minimums,” which is designed to check for the presence of a virtual machine (VM) before executing. The idea is to disrupt attempts by security researchers, who often run suspected malware in VMs, to find out more about the threat.