Malicious Passlib Python Package Triggers Windows Shutdowns with Invalid Inputs
A deceptive and destructive Python package named psslib, uncovered by Socket’s Threat Research Team, poses a severe risk to developers by masquerading as a legitimate password security solution.
Published by the threat actor identified as umaraq, this malicious package typosquats the widely trusted passlib library a toolkit with over 8.9 million monthly downloads used for secure password hashing and verification.
Unveiling a Deceptive Threat in Python’s Ecosystem
Unlike its legitimate counterpart, psslib is engineered to cause immediate system shutdowns on Windows environments when users input incorrect passwords, exploiting developer trust in security tools.
As of now, the package remains active on the PyPI registry, despite formal petitions for its removal, highlighting the persistent danger of supply chain attacks in open-source ecosystems.
The psslib package employs a seemingly innocuous password verification system using easygui.enterbox() to prompt for credentials.
However, beneath this facade lies a malicious payload: if the entered password does not match the predefined value, the package executes the Windows command shutdown /s /t 1, forcing an immediate system shutdown within one second.
This abrupt action can lead to significant data loss, corruption of open files or databases, disruption of services, and potential filesystem inconsistencies.
Platform-Specific Targeting
Beyond password verification, the package includes additional functions like direct shutdown (src()) and error handling (error()) that trigger system shutdowns without user consent or authentication, broadening the attack surface.
Notably, this destructive behavior is tailored for Windows systems, while the commands fail harmlessly on Linux and macOS due to incompatible syntax, indicating a deliberate focus on Windows development environments where Python is often used for scripting and automation.
Socket’s AI Scanner has flagged psslib as malicious due to its disruptive behavior, emphasizing the growing sophistication of typosquatting attacks.
These attacks are particularly alarming as developers often install such packages with elevated privileges, integrating them into critical workflows like CI/CD pipelines and user-facing applications.
A single malicious library can thus compromise not only a developer’s workstation but also production systems and end users.
The package’s deceptive README and documentation, which falsely advertise it as a security utility to “secure your Python program,” further weaponize trust, making it a potent threat in the software supply chain.
According to the Report, Socket’s tools, including a GitHub app, CLI, and browser extension, offer real-time detection of such risks, helping developers identify threats before they infiltrate codebases.
Looking ahead, this incident underscores emerging trends in supply chain attacks, where future threats may target diverse developer tools and environments with platform-specific payloads or blend destructive capabilities with legitimate features for stealth.
The immediate and destructive nature of psslib serves as a stark reminder of the need for vigilance and robust security measures in open-source software development.
Indicators of Compromise (IOCs)
| Category | Details |
|---|---|
| Malicious Package | psslib |
| Threat Actor Alias | umaraq |
| PyPI Registered Emails | umar[.]maq@yandex[.]com, umarmoiz2010@gmail[.]com |
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
