New PyPI package discovered providing fileless Linux malwareSecurity Affairs

Security researchers have discovered a new PyPI package designed to drop a fileless cryptominer on Linux systems.

Sonatype researchers discovered a new PyPI package named ‘secretslib‘ which deposits a fileless cryptominer into the memory of Linux machine systems.

The package describes itself as “secret matching and verification made easy”, it has a total of 93 downloads since August 6, 2020.

Sonatype identified a “secretslib” PyPI package that describes itself as “secret matching and verification made easy”. reads the message posted by the experts. “On closer inspection, the package secretly runs cryptominers on your Linux machine in memory (directly from your RAM), a technique widely used by fileless malware and encryptors.”

The package fetches a Linux executable from a remote server and runs it to drop an ELF file (“memfd“) directly in memory. This is a Monero crypto-miner likely created through the ‘memfd_create‘ system call.

“Linux system calls like ‘memfd_create’ allow programmers to drop ‘anonymous’ files into RAM instead of writing the files to disk. Since the intermediate step of outputting the malicious file to the hard drive is skipped, it may not be as easy for antivirus products to proactively detect fileless malware, which now resides in memory. volatile of a system, although the task is certainly not impossible. continues the analysis. “Additionally, since the ‘secretslib’ package removes ‘tox’ as soon as it runs and the cryptomining code injected by ‘tox’ resides in the system’s volatile memory (RAM) as opposed to the hard drive , the malicious activity leaves little or no footprint and is quite “invisible” in a forensic sense.

Interestingly, the threat actors behind the “secretslib” used the name of an engineer working for Argonne National Laboratory (, an Illinois-based science and engineering research laboratory operated by UChicago Argonne LLC for the U.S. Department of Energy.

A few days ago, Check Point researchers discovered ten more malicious packages on the Python Package Index (PyPI). The packages install information stealers that allow hackers to steal developers’ private data and personal credentials.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hack, PyPI package)

Comments are closed.