Search
HomePython in Crypto

python-dateutils — A disguised cryptominer for Windows, Linux, macOS

Python in Crypto
By AdUNpOnleqNww
33
0


Beware of the ‘python-dateutils’ Malware!

Many of you might be familiar with the Python module ‘dateutil,’ a popular tool that extends Python’s standard datetime library. However, a recent alert from Sonatype’s automated malware detection system has uncovered a malicious package named ‘python-dateutils’ on PyPI. This package poses significant threats by mining Monero (XMR) cryptocurrency on your computer and stealing AWS credentials, regardless of whether you’re using Windows, Linux, or macOS.



What is Typosquatting?

The ‘python-dateutils’ package is a classic example of a typosquatting attack. Typosquatting involves naming a malicious package similar to legitimate ones, hoping that users will mistakenly download the wrong package. In this case, ‘python-dateutils’ mimics legitimate libraries like dateutil, python-dateutil, and dateutils. While there are some indications that ‘python-dateutils’ might have been legitimate in the past, the current versions have been identified as harmful.

See also  AI Trading Bots Revolutionize Crypto Markets with Custom GPTs

Analyzing the Malicious Code

Obfuscation Techniques

Sonatype’s security research team has extensively studied thousands of malicious packages across various open-source ecosystems. During their analysis, they have encountered several obfuscation techniques used by cybercriminals, including steganography, Base64 encoding, and minification. The ‘python-dateutils’ package employs Base64 encoding combined with the ROT13 cipher for obfuscating text. ROT13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it in the alphabet.

When examining the package’s setup.py manifest file, the obfuscation becomes evident:

The file contains hexadecimal representations of ASCII variable names, such as magic, love, and god, which are used in instructing the Python interpreter to evaluate the encoded code.

See also  What's Bitcoinlib, and the way did hackers goal it? — TradingView News

Below is a snippet from the decoded version of the ‘setup.py’ file:

The python-dateutils package's webhook function in the init.py file, showing code that sends system information to a Discord webhook and loads a Monero crypto miner.

Mining Monero (XMR)

The malicious package uses MoneroOcean’s GitHub repository to mine Monero cryptocurrency. The decoded script contains a Discord webhook (line 23) to exfiltrate data like your IP address, operating system information, and AWS credentials:

hXXps://discord[.]com/api/webhooks/991208558098141264/hLnYmQl9k38eM7PChAqZJzn6Jsele4fU04GLlaT-zfww0JdMw4j1zhazpUjBOjEuGzpA

From line 38 onwards, the script checks your operating system and loads the appropriate crypto miner, whether it’s a Bash or PowerShell version, from MoneroOcean’s GitHub repository. The attacker’s wallet address remains the same across platforms:

4AZ6u7wEVZ7EDFAXCnZGkf1PwRPMDStboTzzwJhf1LcJiK3Ki4H2SgjVCnFsgkwDoVa5De6zWQaXUcsEz1Hgu7b1LnvBTpu



Similar obfuscated code is also found in the src/dateutil/__init__.py file within the ‘python-dateutils’ package. Though the directory includes some legitimate code to camouflage the malware, the ‘__init__.py’ file echoes the suspicious ‘setup.py’ file.

See also  Crypto Malware Targets Bitcoin Python Library, Users Warned

The python-dateutils package's init.py file, showing Python code obfuscated with Base64 and ROT13 encoding.

Stealing AWS Credentials

Decoding the __init__.py file reveals the complete extent of the threat. Alongside mining Monero, the package uses the Discord webhook to exfiltrate your AWS credentials stored in ~/.aws/credentials. The exfiltration occurs when the ‘webhook’ function is called (lines 48, 52, and 56), sending the collected credentials, IP address, and system fingerprinting information to the endpoint.

Screenshot of the __init__decoded.py file from the python-dateutils package, showing a webhook function that exfiltrates data to a Discord URL.

Fortunately, Sonatype reported the package, and it was removed from the PyPI registry. According to PePy.tech, which tracks PyPI downloads, ‘python-utils’ was downloaded just under 1,000 times before being taken down.

Protecting Against Software Supply Chain Attacks

This discovery follows a series of recent disclosures about malicious Python packages stealing sensitive information. Sonatype continues to lead in open-source software security, ensuring the protection of developers, the ecosystem, and the software supply chain. The escalating number of malicious packages highlights the urgent need for automation in security measures.

See also  Crypto Malware Discovered in Python Package Index Threatens Wallet Security

Users of Sonatype Repository Firewall can have peace of mind, knowing that such harmful packages are automatically blocked from infiltrating their development builds.

Flowchart of Sonatype Repository Firewall showing the process of analyzing new software components, quarantining malicious ones, and releasing safe components into the development pipeline.

Sonatype Repository Firewall instances automatically quarantine suspicious components detected by automated malware detection systems, while a manual review is conducted. This proactive approach ensures your software supply chain is protected from the outset.

Combining Sonatype’s top-tier security research data with their automated malware detection technology, developers, customers, and software supply chains are safeguarded against infections. The importance of such measures cannot be overstated, as open-source software security challenges continue to grow.

See also  These 8 Programming Languages Are Running the Crypto-Economy

Image Credit: www.sonatype.com

Previous articleBitcoin.com News2025’s Best Crypto Presale Contender? Neo Pepe Coin Price Prediction and Presale AnalysisNeo Pepe is quickly emerging as one of the best crypto presales of 2025, captivating investors with its impressive $2 million raise in Stage 4 of its….il y a 23 heures
Next article5 Best Crypto DEXs for Staking and Trading Digital Assets

Hot Topics

Load more

Related Articles

Load more

Welcome to Cryptocorium, your go-to source for the latest insights, updates, and trends in the world of crypto currency. We are dedicated to providing timely, accurate, and in-depth news to keep you informed about the rapidly evolving digital asset space.

Quick Links

Must Read

Our Newsletter

Subscribe us to receive our latest news directly in your inbox!

We don’t spam! Read our privacy policy for more info.

© Copyright 2025. All Right Reserved By Crypto Corium.

bitcoin
Bitcoin (BTC) $ 118,270.69
ethereum
Ethereum (ETH) $ 3,771.49
tether
Tether (USDT) $ 1.00
bnb
BNB (BNB) $ 795.17
xrp
XRP (XRP) $ 3.20
cardano
Cardano (ADA) $ 0.828476
usd-coin
USDC (USDC) $ 1.00
matic-network
Polygon (MATIC) $ 0.236822
binance-usd
BUSD (BUSD) $ 0.997766
dogecoin
Dogecoin (DOGE) $ 0.238938
okb
OKB (OKB) $ 48.25
polkadot
Polkadot (DOT) $ 4.18
shiba-inu
Shiba Inu (SHIB) $ 0.000014
tron
TRON (TRX) $ 0.320619
uniswap
Uniswap (UNI) $ 10.60
wrapped-bitcoin
Wrapped Bitcoin (WBTC) $ 118,154.66
dai
Dai (DAI) $ 1.00
litecoin
Litecoin (LTC) $ 114.83
staked-ether
Lido Staked Ether (STETH) $ 3,767.73
solana
Solana (SOL) $ 186.57
avalanche-2
Avalanche (AVAX) $ 25.00
chainlink
Chainlink (LINK) $ 18.68
cosmos
Cosmos Hub (ATOM) $ 4.80
the-open-network
Toncoin (TON) $ 3.32
ethereum-classic
Ethereum Classic (ETC) $ 23.09
leo-token
LEO Token (LEO) $ 8.99
filecoin
Filecoin (FIL) $ 2.69
bitcoin-cash
Bitcoin Cash (BCH) $ 570.21
monero
Monero (XMR) $ 322.17