Supply Chain Attack Detected in PyPI Library
Security researchers have discovered numerous Python packages hiding in the PyPI library, likely planted there by criminals looking for victims who might have fallen prey to a supply chain attack.
Software repositories make good targets in supply chain attacks because the potential victims would not be as suspicious. When users download a library or an application from an official source or even a trusted third-party repository, they don’t expect to get infected. Unfortunately, it happens quite often, which is even more reason to use a security solution.
The assumption that a repository is secure would not make a safe bet, as the researchers from JFrog found out.
“We are now reporting several Python packages hosted on PyPI as malicious,” said the JFrog team. “We have alerted PyPI about the existence of the malicious packages which promptly removed them. Based on data from pepy.tech, we estimate the malicious packages were downloaded about 30,000 times.”
The list of packages detected as malware:
Package name |
Maintainer |
Payload |
noblesse |
xin1111 |
Discord token stealer, Credit card stealer (Windows-based) |
genesisbot |
xin1111 |
Same as noblesse |
are |
xin1111 |
Same as noblesse |
suffer |
Suffer |
Same as noblesse , obfuscated by PyArmor |
noblesse2 |
Suffer |
Same as noblesse |
noblessev2 |
Suffer |
Same as noblesse |
pytagora |
leonora123 |
Remote code injection |
pytagora2 |
leonora123 |
Same as pytagora |
The packages hid various functionalities, such as a credit card stealer and code injection. Leaving aside the direct effects of the malware, the attackers would have been able to deploy other tools, if necessary. The packages also used several forms of obfuscation, some more complex than others, in an attempt to avoid detection.
“Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks,” the researchers said.
Unfortunately, it’s difficult to determine the real-world impact of these tools, but given the number of downloads in this scheme, it stands to reason that the attackers likely compromised at least some systems belonging to the people who downloaded the packages.
tags
Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between.
View all postsDecember 19, 2024
November 14, 2024