Attackers hide malicious payloads deep within seemingly legitimate Python packages, where two such packages were found. One, img-aws-s3-object-multipart-copy, is a copy of a real library on GitHub.
They modified the code to execute a hidden script, loadformat.js, which is likely to download and run additional malware. This suggests a sophisticated attacker with malicious intent.
An attacker hides malicious code within an image file, which iterates through each byte of the image, and if the byte value corresponds to a printable ASCII character (between 32 and 126), it’s converted and stored in a variable.
Non-printable characters are discarded unless a certain number of printable characters have already been collected, triggering a potential exploit, which suggests that the hidden code can be embedded within the image without disrupting its functionality.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
The code analyzes an image file and potentially executes embedded code, and if the image file size is greater than 2000 bytes, a variable is set to trigger the execution of hidden code extracted from the image.
.webp "Weaponized AWS Packages That Deliver Malware Via JPEG Files 3")
This extracted code is then combined with the provided libraries (https, exec, and os) into a new function and executed; while the snippet doesn’t reveal the functionality of the hidden code, its execution suggests potential malicious intent.
The code snippet analyzes three image files (logo1.jpg, logo2.jpg, and logo3.jpg), but only logo2.jpg (the Microsoft logo) triggers malicious behavior, which registers the infected machine with a remote server (85.208.108.29) using hostname and OS information.
.webp "Weaponized AWS Packages That Deliver Malware Via JPEG Files 4")
Then, it establishes a loop to fetch commands from the server and execute them periodically.
The commands can include changing a directory (“cd”) or running arbitrary code with the “exec” function. The execution results are then posted back to the server.
The code establishes a connection with a remote command-and-control server (C2) at the IP address 85.208.108.29, which transmits basic system information, including hostname and operating system details, during the initial registration.
Subsequently, it sets a recurring timer to fetch commands from the C2 every 5 seconds (0x1388 milliseconds).
.webp "Weaponized AWS Packages That Deliver Malware Via JPEG Files 5")
Downloaded commands are executed locally on the compromised device, and the resulting output is sent back to the attacker through the “/post-results?clientId=
According to Phylum, the code snippet facilitates a persistent communication channel for receiving and executing malicious commands from a remote attacker.
Two reported malicious packages remained available on npm for an extended period, highlighting the limitations of current detection systems and the growing threat landscape within open-source ecosystems.
The rise in sophisticated and prevalent malicious packages necessitates heightened developer and security awareness regarding the potential risks associated with open-source library consumption.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.