116 Malware packages found in PyPI Repository infecting Windows and Linux systems

PyPI Repository

Cybersecurity researchers have identified a set of 116 malicious packages in the Python Package Index (PyPI) repository designed to infect Windows and Linux systems with a custom backdoor.

“In some cases, the final payload is a variant of the infamous W4SP Stealer, or a simple clipboard monitor to steal cryptocurrency, or both,” said ESET researchers Marc-Etienne M.Léveillé and Rene Holt. said in a report published earlier this week.

The packages have been estimated to have been downloaded more than 10,000 times since May 2023.

The threat actors behind this activity have been observed using three techniques to bundle malicious code into Python packages, namely via a test.py script, embedding PowerShell in the setup.py file, and including it in obfuscated form in the __init__.py file.

Regardless of the method used, the end goal of the campaign is to compromise the targeted host with malware, primarily a backdoor capable of remotely executing commands, exfiltrating data, and taking screenshots. The backdoor module is implemented in Python for Windows and in Go for Linux.

Alternatively, the attack chains also culminate in the deployment of W4SP Stealer or a clipper malware designed to closely monitor a victim’s clipboard activity and swap the original wallet address, if any, with one controlled by the attacker address.

PyPI repository

The development is the latest in a wave of compromised Python packages that attackers have released to poison the open source ecosystem and spread a hodgepodge of malware for supply chain attacks.

It is also the latest addition to a steady stream of fake PyPI packages that have acted as a stealthy conduit for spreading stealer malware. In May 2023, ESET launched revealed another cluster of libraries designed to distribute Sordeal Stealer, which borrows its functions from W4SP Stealer.

Last month, malicious packages masquerading as seemingly harmless obfuscation tools were discovered to deploy a stealer malware codenamed BlazeStealer.

“Python developers should thoroughly investigate the code they download, paying particular attention to these techniques, before installing it on their systems,” the researchers warned.

The revelation also follows the discovery of npm packages targeting an unnamed financial institution as part of an “advanced adversary simulation exercise.” The names of the modules, which contain an encrypted blob, are hidden to protect the organization’s identity.

“This decrypted payload contains an embedded binary that intelligently exfiltrates user data into a Microsoft Teams webhook internal to the target company in question,” said Phylum, a software supply chain security firm. revealed last week.


#Malware #packages #PyPI #Repository #infecting #Windows #Linux #systems

Notify of
Inline Feedbacks
View all comments
Previous Post
NKN Blockchain Tech

New NKAbuse malware uses NKN Blockchain technology for DDoS attacks

Next Post
Iranian State-Sponsored OilRig Group

Iranian state-sponsored OilRig Group deploys three new malware downloaders

Related Posts