A cluster of malicious Python projects has been identified in PyPI, the official Python PyPI package repository, which targets both Windows and Linux systems and often deploys a custom backdoor.
In certain instances, the ultimate payload consists of a simplified clipboard monitor designed to steal cryptocurrencies, a version of the notorious W4SP Stealer, or both.
In 53 projects, 116 malicious packages were found by ESET Research in PyPI, the official repository for software related to the Python programming language.
10,000 Downloads Of Malicious Packages
Python programmers frequently use PyPI to share and download code. Since anybody can add to the repository, malware may appear there, occasionally taking the form of popular, legitimate code libraries.
The victims downloaded these files more than 10,000 times in the last year. The download rate has been roughly 80 per day since May 2023.
PyPI packages come in two forms: wheels, or prebuilt packages, which could include compiled modules for a particular Python version or operating system, and source packages, which are built after installation and contain full project source code.
The Python code in the source distribution differs from that in the built distribution in several cases. The malicious code is present in the latter, but the former is clean.
When a wheel is available, Python’s package manager, pip, prefers it over a source distribution. Thus, the malicious one is installed unless explicitly stated in distinct ways.
The malicious code has been discovered to be bundled into Python packages by the threat actors behind the activity using three different techniques: a test.py script, PowerShell embedded in the setup.py file, and an obfuscated form incorporated in the __init__.py file.
The second method involves inserting PowerShell code into the setup.py file, which is normally launched automatically to assist with the installation of Python projects by package managers like pip.
In the third strategy, the operators just include the malicious code in the package, disguised only slightly, with no attempt made to include legitimate code.
At the time of this research, PyPI had already removed most of the packages. At the time of this research, PyPI had already removed the majority of the packages. You may view the whole list of 116 packages in the GitHub repository.
“Python developers should thoroughly vet the code they download, especially checking for these techniques, before installing it on their systems. As well as continuing to abuse the open-source W4SP Stealer, the operators have also deployed a simple, but effective, backdoor”, researchers said.