Cybersecurity researchers have identified a set of 116 malicious packages in the Python Package Index (PyPI) repository designed to infect Windows and Linux systems using a custom backdoor.
“In some cases, the final payload is a variant of the malicious W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both,” ESET researchers Marc-Etienne M.Léveillé and Rene Holt SAYS in a report published earlier this week.
the packages estimated to have been downloaded over 10,000 times since May 2023.
The threat actors behind the activity were observed using three techniques to bundle malicious code into Python packages, namely through the test.py script, embedding PowerShell in the setup.py file, and -incorporate it in the obfuscated form of __init__.py file.
Cook AI-Powered Threats with Zero Trust – Webinar for Security Professionals
Traditional security measures just won’t cut it in today’s world. It’s time for Zero Trust Security. Secure your data like never before.
Regardless of the method used, the ultimate goal of the campaign is to compromise the target host with malware, primarily a backdoor capable of remote command execution, data exfiltration, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux.
Alternatively, the attack chains also end up deploying W4SP Stealer or a clipper malware designed to closely monitor the victim’s clipboard activity and exchange the original wallet address, if any, to an address controlled by the attacker.
The development is the latest in a wave of compromised Python packages released by attackers to poison the open-source ecosystem and distribute a medley of malware for supply chain attack.
It’s also the latest addition to a steady stream of fake PyPI packages that act as a stealth channel for the distribution of rogue malware. In May 2023, the ESET Revelation another set of libraries engineered to deploy Sordeal Stealer, borrowing its features from W4SP Stealer.
Then, last month, malicious packages masquerading as harmless mining tools were found to deploy a stealthy malware codenamed BlazeStealer.
“Python developers should thoroughly check the code they download, especially checking these techniques, before installing it on their systems,” the researchers warned. .
The disclosure also follows the discovery of npm packages that were found to target an unnamed financial institution as part of an “advanced adversary simulation exercise.” The names of the modules, which contain the encrypted blob, are withheld to protect the organization’s identity.
“This decrypted payload contains an embedded binary that cleverly exfiltrates user credentials to a Microsoft Teams webhook located within the target company in question,” software supply chain security firm Phylum exposed last week.