A PyPI malware author identified as “WS” was discovered by researchers to be covertly uploading malicious packages to PyPI that were impacting both Windows and Linux devices.
Over time, the malware author distributes multiple information-stealing packages into the PyPI library, each with unique payload complexities. From the detected packages alone, it is predicted that there may be over 2000 victims of “WS.”
Over several months, the instance of this specific malware author has come to light, demonstrating the significant amount of destruction that has occurred.
The Python community has created the Python Package Index (PyPI), an open repository of software packages to aid in the rapid development or updating of applications.
Although most packages uploaded to PyPI are uploaded by dedicated people seeking to promote the Python community, malicious packages are also frequently provided by threat actors.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
Info Stealing Packages Hidden in PyPI
According to Fortinet, the identified packages published by the author “WS” are as follows:
- nigpal
- figflix
- telerer
- seGMM
- fbdebug
- sGMM
- myGens
- NewGends
- TestLibs111
These demonstrate attack techniques similar to those described in a blog post by Checkmarx that was published four months prior.
The resemblance raises the possibility of a link to an early 2023 harmful effort. The setup.py files in these packages contain base64-encoded source code for PE or other Python scripts.
The final malicious payload is dropped and executed when these Python packages are installed, depending on the operating system of the victim devices.
Packages released before December 2023 can particularly transmit a Python script intended to steal data from Linux systems or, in the case of a Windows victim, deploy the malware known as Whitesnake PE.
“A subtle distinction lies in the new method now being used by the Python script to transmit stolen data. Instead of relying on a single fixed URL, these new malware variants use a range of IP addresses as the destination, likely to ensure successful data transmission even if one server fails”, Fortinet shared with Cyber Security News.
The PE Payload of the myGens & NewGends Packages is analyzed. It attempts to gather user data, including the host credentials and IP address of the user.
This latest set of packages primarily targets Windows users, in contrast to previous attacks that were directed at both Linux and Windows users. Even though each package has a slightly different executable payload, they all attempt to steal confidential data from victims.
Recommendation
When utilizing open-source packages, users are advised to proceed with extreme caution, making sure that no harmful content or payloads are present that could leave their targeted devices vulnerable to information theft.