PyPI Malicious Packages with Thousands of Downloads Targeting Python Developers
For the past six months, an unidentified threat actor has been slipping malicious packages into the Python Package Index (PyPI), a repository for Python software. The aim? To unleash malware capable of sneaking into your system, stealing sensitive data, and even nabbing your hard-earned cryptocurrency.
According to a recent report by Checkmars, these 27 packages disguised as genuine Python libraries, have been downloaded thousands of times. Most of the downloads came from the United States (41.58 %), Germany, Japan, UK, France, China (12.22%), Hong Kong, Russia, Ireland, and Singapore.
PyPI Malicious Packages: Attack Details
What makes this attack stand out is its use of steganography. Steganography is the practice of hiding information within another ordinary file to avoid detection. In this case, the attackers cleverly hid a malicious payload within an innocent-looking image file, making the attack harder to detect. The software supply chain security firm pointed out that this tactic significantly increased the stealthiness of the attack.
Some of the misleading packages include pyioler, pystallerer, pystob, pyowler, and pyhuluh. Their counterparts legitimate Python packages are pyinstaller, pysolr, pyston, prowler, and pyhull respectively. The goal of this attack was to create the likelihood of developers unintentionally downloading these harmful packages. The download of malicious packages has reached over four thousands.
The trick used in these packages is the setup.py script, which includes references to other malicious packages like pystob and pywool. These, in turn, use a Visual Basic Script (VBScript) to download and execute a file named “Runtime.exe”, establishing a persistent presence to the victim’s system.
Hidden within the binary file is a compiled program capable of extracting information from web browsers, cryptocurrency wallets, and various applications.
Checkmarx also noted an alternate attack chain, where the attackers concealed the executable code within a PNG image (“uwu.png”). This image is decoded and run to extract the public IP address and the universally unique identifier (UUID) of the affected system.
Packages like Pystob and Pywool posed as tools for API management, but their real agenda was to exfiltrate data to a Discord webhook. Additionally, they attempted to maintain persistence by placing the VBS file in the Windows startup folder.
In a digital landscape filled with threats, it’s crucial for developers and users to stay vigilant and identify PyPI malicious packages. Given the increasing risks, the U.S. government has issued new guidance this month, urging developers and suppliers to prioritize and raise awareness about software security. The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and the Office of the Director of National Intelligence (ODNI) recommend supply chain risk assessments for buying decisions to avoid falling victim to these malicious software supply chain incidents.