The Python Package Index (PyPI) has been found to contain 29 potentially malicious packages. In most of these cases, you will find that the obfuscated code drops an info-stealer called “W4SP” on infected machines.
Others take advantage of malware that has allegedly been designed for the sole purpose of teaching.
W4SP Stealer has compromised PyPI, and this malware is primarily intended for the purpose of infecting developers’ systems with malicious code created by the malware.
Cybersecurity analysts at Phylum performed extensive research in which they concluded that the initial steps of this type of attack are simple copies of popular libraries and the introduction of malicious __import__ statements into a codebase.
It is important to point out that the attacker gained an advantage from copying and pasting an existing, legitimate package since the PyPI landing page for the package is generated from the setup.py as well as the README.md file.
Additionally, through this method, the attackers could immediately create a real-looking landing page that holds primarily working legitimate links and everything else.
A brief glance could lead one to believe that this package is also legitimate if it is not thoroughly examined.
In total, there are 29 software supply chain security packages that were recently identified by the experts at Phylum, which we have listed below:-
Most packages, especially the earlier ones, contain an easy-to-inject malicious import into either the setup.py or the init.py files. We can see in the image below that requests-httpx has been able to copy the requests package and add it to its own package.
Following this, the attacker changed tactics slightly and was unable to make another similar attempt to compromise the system. They took advantage of Python’s rare clause to hide the import rather than placing it in a prominent place on the screen, so as not to catch any distractions.
Moreover, in the screenshot below, it comes from the malicious package typesutil called setup.py.
There are around 71K characters in this mess, which means that there is quite a bit of mud to trudge through to get to the bottom of this mess. It is important to note that this is typical for an obfuscated Python program.
During the process, it became apparent that there was something that wasn’t quite right. Since the attacker’s tactics changed again after this, so, the analysts even suspect that they also recognized this.
The supply-chain attack is executed for:-
However, as per the reports that the researchers have asserted that soon they will launch more malware like this in the near future. To jutify this they claimed that this is an ongoing attack that changes tactics constantly from a determined attacker.
Secure Web Gateway – Web Filter rules, web activity tracking and malware protection – Download Free E-Book
Apple users are falling prey to a sophisticated phishing campaign designed to hijack their Apple…
Hackers have been found leveraging weaponized virtual hard disk (VHD) files to deploy the notorious…
A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…
A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…
Google patched seven vulnerabilities in the Chrome browser on Tuesday, including two zero-day exploits that…
The source code and documentation of the Italian anti-piracy platform Privacy Shield have reportedly been…