Skip links

Sonatype shines light on typosquatting ransomware threat in PyPI

Miscreants making use of typosquatting are being spotted by researchers at Sonatype, emphasizing the need to check that the package is really the one you meant to download.

The latest packages detected use variations of the spelling of “Requests”, a hugely popular HTTP library available via PyPI. Of the project, the description notes: “Requests is one of the most downloaded Python packages today, pulling in around 30M downloads / week – according to GitHub. Requests is currently depended upon by 1,000,000+ repositories.”

“You may certainly put your trust in this code,” it adds.

Unless, of course, you inadvertently mistype the name and get something else considerably nastier. Sonatype gave three examples: requesys, requesrs, and requesr, all of which contained ransomware scripts.

Focusing on the requesys package, researchers found scripts that would stomp over Windows user’s folders and begin encrypting files. A successful run then results in a pop-up appearing on the user’s screen which is where things get a bit odd.

The infected user is instructed to join the author’s Discord server where an automatically generated message reveals the decryption keys to unlock files. No payment needed.

So, good news and bad news. Sonatype managed to get hold of the developer responsible, who insisted the packages were merely developed for fun and, since no ransom was demanded or paid, were pretty much harmless.

Hmm, we’re not so sure anyone experiencing the heart-stopping moment arising from a message warning their files are encrypted would agree.

More worryingly, the developer also told Sonatype it was pretty easy to create the exploit, which relies on some careless keyboard bashing on the part of the end user.

The requesys package was renamed by the author, according to Sonatype, “in an effort to prevent further typosquatting victims falling for the ransomware, effectively thwarting the attack.”

The other two examples were removed from PyPI.

The incident is the latest in a series of so-called research experiments and calls to mind other ill-advised actions in the name of experimentation, such as the infamous attempt to sneak some iffy code into Linux.

More recently, the ctx package was compromised on PyPI by an individual claiming no malicious intent even as the software supply-chain attack pulled in information from victims. Nastier still was the typosquatting NPM attack uncovered in July by ReversingLabs.

Sonatype told The Register that the PyPI organization was quick to take down packages and said it had reported its findings to the group. The incident is, however, yet another reminder to take care when downloading packages. Typos are easy to make, and the results could be catastrophic. ®