Threat actors now prefer to exploit PyPI and npm packages. Attackers were discovered typosquatting popular PyPI packages in a fresh supply chain attempt to spread malware. The campaign would initially typosquat Python packages in order to later acquire any available binaries.
One of the binaries is ransomware, which when activated will encrypt specific files and change the victim’s desktop wallpaper. However, soon the threat actors published a number of npm packages with identical behaviours. For the decryption key, they demand $100 in BTC, XMR, ETH, or LTC.