Researchers have found a new PyPI package named ‘secretslib‘ that drops file-less crypto-miner to the memory of Linux machine systems.
The package in question (now gone from the PyPI) was named “secretslib” which “describes itself as ‘secrets matching and verification made easy’,” according to Sonatype Researchers Who have found it.
It achieves this by executing a Linux executable file retrieved from a remote server post installation, whose main task is to drop an ELF file (“memfd“) directly in memory that functions as a Monero crypto miner, after which it gets deleted by the “secretslib” package.
It is interesting to note that threat actors behind the ‘secretslib’ used the name of an engineer working for Argonne National Laboratory (ANL.gov), an Illinois-based science and engineering research lab operated by UChicago Argonne LLC for the U.S. Department of Energy.
The good news is that Sonatype let the named engineer know about the package, which resulted in PyPI swiftly yanking it after less than 100 downloads.