How Three New Malicious PyPI Packages Transformed Linux Devices into Cryptocurrency Miners?
These packages demonstrate a sophisticated multi-phase attack pattern that culminates in the deployment of a CoinMiner

The discovery of three malicious Python Package Index (PyPI) packages targeting Linux devices with a cryptocurrency miner reflects a disturbing trend in software supply chain attacks.
These packages — modularseven-1.0, driftme-1.0, and catme-1.0 — originate from a newly created author account “sastra” and demonstrate a sophisticated multi-phase attack pattern that culminates in the deployment of a CoinMiner.
This recent incident, as reported by Fortinet, highlights the increasingly cunning tactics of malicious actors within the open-source ecosystem.
Anatomy of the Attack
The attack begins subtly with the __init__.py file in the packages modularseven, driftme, and catme.
Upon execution, a shell script named unmi.sh is retrieved and executed, setting the stage for the miner's deployment.

The script secures a configuration file outlining the mining operations and the CoinMiner file itself, discreetly hosted on GitLab.
The Deceptive Strategy
What sets these packages apart is the additional layer of subterfuge.
By embedding the malicious commands within a shell script, the attackers have crafted a more elusive trap that can more easily slip past security defenses.
Furthermore, by inserting these commands into the ~/.bashrc file, they ensure the malware's persistence across system reboots and user sessions, effectively turning the user's device into a stealthy mining bot.
Trends and Techniques: A Broader View
The Fortinet report draw attention to the striking similarities between these packages and the earlier identified ‘culturestreak’ package.
The use of the same domain (papiculo[.]net) for hosting the configuration file and the choice of a public GitLab repository for the executables reinforce the likelihood of a common perpetrator.
Staying Ahead of the Curve
This incident underscores the necessity of rigorous security practices and the importance of a proactive defense.
For users and developers alike, the message is clear: stay alert to the signs of compromise and maintain a strong security posture.
A Call to Action
This is not merely an isolated case but a symptom of a broader challenge within the digital landscape.
It is important to scrutinize code, particularly from unofficial sources, and to employ comprehensive security measures, including the use of trusted antivirus and anti-malware solutions that are regularly updated to combat such sophisticated attacks.
For Further Reading
The technical specifics and the evolution of these attacks are detailed in the original article from Fortinet. Readers who wish to delve deeper into the analysis can find the comprehensive report at Fortinet’s Blog.
In Conclusion
The battle against such hidden threats is ongoing.
The open-source community must continue to foster transparency and security, empowering users to defend their digital sovereignty.
This incident serves as a call to action for enhanced vigilance and a reminder of the importance of community collaboration in identifying and neutralizing such threats before they proliferate.
Enjoyed the read? For more on Web Development, JavaScript, Next.js, Cybersecurity, and Blockchain, check out my other articles here:
If you have questions or feedback, don’t hesitate to reach out at [email protected] or in the comments section.
[Disclosure: Every article I pen is a fusion of my ideas and the supportive capabilities of artificial intelligence. While AI assists in refining and elaborating, the core thoughts and concepts stem from my perspective and knowledge. To know more about my creative process, read this article.]






