HomeTech NewsCybersecurityRansomware in Python package manager PyPI: The return of the script kiddies

Ransomware in Python package manager PyPI: The return of the script kiddies

Published on

- Advertisement -

A number of packages have used typosquatting and distributed code that encrypts files on Windows. The motives are vague.


Until recently, the python package manager PyPI apparently contained packages that start a ransomware attack on Windows. The attacker relies on typosquatting: Sonatype has identified three packages with names similar to the commonly used HTTP library Requests: requesys, requesrs and requesr.

An examination of the content of requesys has revealed Python code which, under Windows, goes through the user directory subfolders “Documents”, “Pictures”, “Videos” and “Music” and encrypts the content. It uses the Python module Fernet in the cryptography package.



After the program has encrypted the content, a window appears stating that the files are now encrypted and unfortunately the victim does not have the key. The package author with the pseudonym b8ff can help on Discord. To do this, you should accept the invitation to the Discord server OHR (Our Hope Remains).

According to Sonatype’s research, the code actually uploads the key to the attacker’s Discord server. There were standing in the Discord channel at the time of the investigation #ransomware-notifications the usernames of 15 victims who installed and ran the package. The key required to decrypt the directories was found under the user names. The most recent entry in the channel is from July 31st.


The original attack code package contained the code in plain text. The attacker has since released version 1.5, which includes a Base64-encoded file as a Windows executable. The way it works remains the same: the program encrypts the content, uploads the key to the Discord server and displays the warning with the invitation.

Not only is the code now obscure, the intention is also obscure. The Python Exploits repository can be found on GitHub under the pseudonym b8ff, which refers to the use of the ransomware and even the blog post by Sonatype. The readme warns that b8ff takes no responsibility for how users use the module. There is also a YouTube channel with hacking tutorials under the pseudonym OHR.

It is therefore not apparent that b8ff, as an ethical hacker, only wants to warn of the dangers, especially since the code actually encrypts the data without warning. However, there is no discernible financial motivation either: the victims receive their key on Discord without paying a ransom.

However, the author of the code has responded to Sonatype’s request, stating that the packages are fully open source and that it is a “fun project”. He describes the code as harmless: “The ransomware has [technically] no ransom”, since he doesn’t ask for money. Finally, he comes out as a script kiddie, almost cliché-like: “I’m still at school and currently I know Python, Lua, HTML and a little bit of C++; that’s it.”


Typosquatting and Co in PyPI and npm

Malicious code in open source packages is one of the most common attacks on the software supply chain. Attackers publish supposedly useful packages on package managers that developers use in their applications. Common methods are typosquatting and brandjacking. The latter uses company names like Twilio to spoof a legitimate source.

With typosquatting, malicious code packages are given names similar to popular packages. On the one hand, the method relies on typos and, on the other hand, uses separators such as underscores and hyphens. Out of my-packet becomes my-paket, mypacket or my_packet. Someone will make a typing mistake, so the legitimate hope of the attackers.

Another attack vector are initially useful and harmless packages that only bring the malicious code with them when they have reached a certain level of distribution. The npm team discovered such a package in 2019 with electron-native-notify. Finally, Dependency Confusion attempts to replace internally hosted dependencies with external packages of the same name containing malicious code. The latter are given a high version number because the package installation tools such as pip use the package with the highest number, which is supposed to be the most up-to-date, depending on the setting.


More details about the attack and the code can be found on the Sonatype blog. In the meantime, b8ff has renamed the package to PyPI, and the two packages with typosquatting potential, requesrs and requesr, are also no longer in the package manager directory.

- Advertisement -

Latest articles

Never do this with your router

We all have a router at home with which we connect to fiber optics....

So you can put a video as wallpaper on Android phones

Did you know that you can put animated videos as wallpaper on your Android...

YouTube could sell subscriptions to streaming platforms

In other words, you can only get the views that the short content has...

Cast of “Pistol”, the miniseries about one of the bands responsible for inspiring the punk movement

Star+ announced about two months ago about the FX miniseries Pistolbased on the...

More like this