- CloudGuard Spectral detects 10 malicious packages on PyPI trying to steal install info-stealers that enable attackers to steal credentials.
- CloudGuard Spectral disclosed the information and alerted PyPI on these packages, later to be removed by the platform.
- These types of attacks commonly harvest very critical data points such as passwords and API tokens to steal critical information.
CloudGuard Spectral announced that they have detected 10 malicious packages on PyPI, the Python package index popular among Python developers. PyPI currently has more than 612,240 active users, working on 391,325 projects, with 3,664,724 releases. This means that this malware can be installed on many projects created by the developers of the community.
Info-stealers
CloudGuard Spectral stated that malicious packages install info-stealer, allowing attackers to steal credentials from the developers. The package installation, triggered by a pip install command, can include a setup-py script, which can include Python snippets to complete the installation process. This method is called typosquatting.
The attackers are using this feature to place malicious codes as a part of the installation script. The code runs on the users’ machine and attacks critical data points, including passwords and API tokens. Some of the packages are:
- Ascii2text
- Pyg-utils, Pymocks, and PyProto2
- Test-async
- Free-net-vpn
- Zlibsrc
- Browserdiv
- WINRPCexploit
CloudGuard Spectral said,
« Supply chain attacks are designed to exploit trust relationships between an organization and external parties. These relationships could include partnerships, vendor relationships, or the use of third-party software. Cyber threat actors will compromise one organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to other organizations’ environments. Such attacks became more frequent and grew in impact in recent years, therefore it is essential developers make sure are keeping their actions safe, double checking every software ingredient in use and especially such that are being downloaded from different repositories, especially ones which were not self-created. »