Latest News

PyPi Python Packages are the New Source of Supply Chain Attacks

Arti

CloudGuard Spectral detects 10 malicious packages on PyPI, the leading Python package index used by developers for Python.

A dozen malicious Python packages were uploaded to the PyPi repository this weekend in a typosquatting attack that performs DDoS attacks on a Counter-Strike 1.6 server. Python Package Index (PyPi) is a repository of open-source software packages that developers can easily incorporate into their Python projects to build complex apps with minimal effort. On August 8, CheckPoint published a report on ten malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers' data and credentials.

The malicious packages contained nearly identical code as 'requests', but were designed to write to a temporary file a one-liner Python script designed to fetch a next-stage script that in turn downloads and executes the final payload.

Called 'W4SP Stealer', the final payload is a Python trojan that collects saved cookies and passwords from browsers and Discord tokens and sends them to the threat actor via a Discord webhook.

Ten Pypi packages were used to steal credentials

The malicious PyPi packages discovered by CheckPoint and outlined in a new report are:

Ascii2text – Mimicking "art," a popular ASCII Art Library for Python, Ascii2text uses the same description minus the release details. Its code fetches a malicious script that searches for local passwords and exfiltrates them via a Discord webhook.

Pyg-utils, Pymocks, PyProto2 – All three packages target AWS credentials and appear very similar to another set of packages discovered by Sonatype in June. The first even connects to the same domain ("pygrata.com"), while the other two target "pymocks.com".

Test-async – Package with a vague description that fetches malicious code from a remote resource and notifies a Discord channel that a new infection has been established.

Free-net-VPN and Free-net-vpn2 – User credential harvester published to a site mapped by a dynamic DNS mapping service.

Zlibsrc – Mimicking the zlib project, this package contains a script that downloads and runs a malicious file from an external source.

Browserdiv – Package targeting the credentials of web design programmers. Uses Discord webhooks for data exfiltration.

WINRPCexploit – A credential-stealing package that promises to automate the exploitation of the Windows RPC vulnerability. However, when executed, the package will upload the server's environment variables, which commonly contain credentials, to a remote site under the attacker's control.

Background

PyPI is the leading Python repository and the most commonly in use by Python users. Every python developer is familiar with the 'pip install' daily routine to bring the Python software they need.

Pypi helps developers find and install software developed and shared by other developers of this community. The platform and its use are currently free and developers use the repository daily.  According to its website, Pypi has over 612,240 active users, working on 391,325 projects, with 3,664,724 releases.

What many users are not aware of is the fact that this one-liner simple command can put them at an elevated risk. The pip install command triggers a package installation which can include a setup.py script. This script can include Python snippets to make the required installation process at the target installer machine.

More Trending Stories 

Join our WhatsApp Channel to get the latest news, exclusives and videos on WhatsApp

                                                                                                       _____________                                             

Disclaimer: Analytics Insight does not provide financial advice or guidance. Also note that the cryptocurrencies mentioned/listed on the website could potentially be scams, i.e. designed to induce you to invest financial resources that may be lost forever and not be recoverable once investments are made. You are responsible for conducting your own research (DYOR) before making any investments. Read more here.

Investing $1,000 in DTX Exchange Is Way Better Than Dogwifhat (WIF): Which Will Make Higher ATH This Cycle

Top 6 Best Cryptos to Buy in 2024 for Maximum Growth

Don’t Miss Out On These Viral Altcoins Before BTC Price Hits $100K; Could Rally 300% in December

5 Top Performing Cryptos In December 2024 You’ll Regret Ignoring – Watch Before the Next Breakout

AI Cycle Returning? Keep an Eye on Near Protocol, IntelMarkets, and Bittensor to Rally Before 2025