School Kid Uploads Ransomware Scripts to PyPI Repository as Fun Project

The malware packages had names that were common typosquats of a legitimate widely used Python library. One was downloaded hundreds of times.

An apparently school-age hacker based in Verona, Italy, has become the latest to demonstrate why developers need to pay close attention to what they download from public code repositories these days.
The young hacker recently uploaded multiple malicious Python packages containing ransomware scripts to the Python Package Index (PyPI), supposedly as an experiment.
The packages were named requesys, requesrs, and requesr, which are all common typosquats of requests — a legitimate and widely used HTTP library for Python.
According to the researchers at Sonatype who spotted the malicious code on PyPI, one of the packages (requesys) was downloaded about 258 times — presumably by developers who made typographical errors when attempting to download the real requests package. The package had scripts for traversing folders such as Documents, Downloads, and Pictures on Windows systems and encrypting them.
One version of the requesys package contained the encryption and decryption code in plaintext Python. But a subsequent version contained a Base64-obfuscated executable that made analysis a little harder, according to Sonatype.
Developers who ended up with their system encrypted received a pop-up message instructing them to contact the author of the package — b8ff (aka OHR or Only Hope Remains) — on his Discord channel, for the decryption key. Victims were able to obtain the decryption key without having to make a payment for it, Sonatype says.
And that makes this case
more of a gray area
rather than outright malicious activity, Sonatype concludes. Information on the hackers Discord channel shows that at least 15 victims had installed and run the package.
Sonatype discovered the malware on July 28 and immediately reported it to PyPIs administrators, the company says. Two of the packages have since been removed and the hacker has renamed the requesys package, so developers no longer mistake it for a legitimate package.
There are two takeaways here, says Ankita Lamba, senior security researcher, at Sonatype. First, be cautious when typing out the names of popular libraries, as typosquatting is one of the most common attack methods for malware, she says.
Second and more broadly, developers should always be cautious about what they’re downloading and what packages they’re incorporating into their software builds. Open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks, Lamba says.
The incident is among a growing number of instances recently in which threat actors have planted malicious code in widely used software repositories, with the goal of getting developers to download and install it in their environments.
Some of them — like the latest incident — have involved typosquatted packages, or malware with similar sounding names as legitimate software on public software repositories. In May, for instance, Sonatype found that some 300 developers had downloaded a
malicious package for distributing Cobalt Strike called Pymafka
from the PyPI registry, thinking it was PyKafka, a legitimate and widely downloaded Kafka client.
Also in May, Sonatype discovered another malicious package on PyPI called karaspace, used for stealing system information, that had the same name as a legitimate Kafka project on GitHub.
In July, researchers at Kaspersky discovered
four information-stealing packages in the Node Package Manager
(npm) repository. The same month, ReversingLabs reported finding some two-dozen, heavily obfuscated npm modules for stealing data that had been downloaded more than 27,000 times. The vendor estimated the malicious packages
were likely installed in hundreds
— and likely even thousands — of mobile applications and websites.
Security researchers have pointed to the trend as heightening the need for organizations to pay closer attention to their software supply chains — especially when it comes to using open source software from public repositories such as PyPI, npm, and Maven Central.
Following the latest discovery, researchers at Sonatype contacted the author of the malicious code and found him to be a self-described school-going hacker apparently intrigued by exploits and the ease of developing them.
Lamba says b8ff told Sonatype that the ransomware script was completely open source and part of a project that he had developed for fun.
As they are a school-going learning developer, this was meant to be a fun research project on ransomware exploits that could have easily gone much further astray, Lamba says. The author went on to say that they were surprised to see how easy it was to create this exploit and how interesting it was.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
School Kid Uploads Ransomware Scripts to PyPI Repository as Fun Project