FortiGuard Labs has recently uncovered more than 5,000 malicious software packages designed to compromise Windows systems.
These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise.
The analysis reveals a disturbing trend in the evolution of cyber threats, with attackers continuously refining their methods to bypass security protocols and infiltrate systems undetected.
.png
)
The investigation identified 1,082 packages with low file counts, a tactic employed to minimize detection footprint while maximizing damage potential.
Another 1,052 packages contained suspicious install scripts designed to silently deploy malicious code during the installation process, often modifying standard procedures to execute harmful actions without user awareness.
Additionally, 1,043 packages lacked repository URLs, raising significant concerns about their legitimacy and traceability, while 974 packages included suspicious URLs that potentially facilitate communication with command-and-control servers.
Further analysis by Fortinet researchers revealed 681 packages utilizing suspicious APIs, including commands such as https.get and https.request, primarily used to exfiltrate sensitive data or establish remote control capabilities.
The study also identified 537 packages with empty descriptions, a technique that further obscures malicious intent, and 164 packages with unusually high version numbers, used to mislead users into trusting outdated or potentially harmful software.
These malicious packages pose substantial threats to Windows systems, with capabilities ranging from keylogging and data exfiltration to establishing backdoors and executing remote commands.
The comprehensive nature of these attacks demonstrates the evolving sophistication of cyber threats targeting development environments and end-user systems alike.
Malicious Code Analysis and Attack Vectors
One particularly concerning attack vector involves Python packages that exploit the setup.py file to silently collect system information.
Packages such as AffineQuant-99.6, amzn-aws-glue-ml-libs-python-6.1.5, and amzn-awsglue-6.1.4 were found to gather MAC addresses, hostnames, usernames, and directory information before transmitting this data to attacker-controlled servers.
The script employs different system commands depending on the operating system (getmac for Windows, ifconfig for Linux/macOS) and encodes the stolen information using base64 before exfiltration.
.webp)
The low file count for the PyPI package AffineQuant v99.6 shows that how attackers minimize code footprint to evade detection.
.webp)
Similarly, malicious Node.js packages like seller-admin-common_6.5.8 and seller-rn-mng-lib_6.5.8 contain code that harvests sensitive information including internal and external IP addresses, DNS servers, and user details, bundling this data into JSON objects before transmitting it to attackers via Discord webhooks.
Perhaps most concerning is the package xeno.dll_1.0.2, which employs sophisticated obfuscation techniques to disguise keylogging functionality capable of capturing passwords and credit card details.
.webp)
The code not only logs keystrokes but also establishes a backdoor with elevated privileges, providing attackers complete system control while collecting operating system details, installed applications, and network configurations.
FortiGuard Labs recommends that developers install packages only from trusted sources, review package content before installation, use isolated virtual environments, employ security scanning tools, and maintain up-to-date dependencies.
These measures are essential for protecting systems against the growing wave of sophisticated supply chain attacks targeting development environments.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
