The indicators of compromise (IoCs) for these packages, according to Fortinet, are the same as those for the PyPI package known as “culturestreak,” which was found earlier in September.The “import” statement in the init.py file initiates the malicious code. The processor.py module contains the malware’s initial phase.
The code decodes and obtains a shell script called “unmi.sh” from a remote site. It then obtains the CoinMiner file housed on GitLab and a configuration file for the mining activity. The attacker downloads two crucial files onto the user’s device using the “unmi.sh” script: The first one is “config.json,” a configuration file needed to run the installed program. This file describes the mining configuration for cryptocurrencies.