Awani Review

Complete News World

Dozens of malicious PyPI packages targeting developers have been discovered, and these packages contain “W4SP” malware that allegedly steals user data

Researchers from Phylum, a cybersecurity company that monitors the software supply chain to detect and report threats, have discovered more than two dozen Python packages in a PyPI repository that deliver malware that extracts and steals your information. Most of the identified packages contained an obscure code that drops “W4SP” to steal information on infected machines, while others use malware allegedly created for “educational purposes” only. The company identified 29 Python packages containing the W4SP information thief.

The Asylum researchers report that the affected packages are typos, i.e. actors threatening to publish them on purpose call them similar to legitimate Python libraries, hoping that developers trying to fetch the real library will make a misspelling and inadvertently fetch one. malicious packages. Like previous attempts, this particular attack starts with copying existing popular libraries and injecting a statement __import__ Malware in an otherwise sane code base.

According to the researchers, the advantage of setting up an attack based on copies of an existing legitimate package is that because the package’s home page in the PyPI repository is generated from setup.py And the README.mdIt immediately has a proper homepage with links that work most of the time and everything else. The image above shows the main page of the malicious package’s PyPI Species. You can see that the hacker simply copied the package date and time 2 It made some minor tweaks to make the script consistent with the fake package name it was released with.

“Unless it is closely examined, a quick look at it may lead one to believe that it is a legitimate package as well,” the researchers say. In the report, the researchers detailed the difficulties they encountered while analyzing the obfuscated code of more than 71,000 characters, a “hell of a lot of slime” they had to wade through. In the end, they concluded that the malware distributed by these packages was W4SP Stealer. It is indeed an information theft malware that steals Discord codes, cookies, and saved passwords.

The report notes that in the majority of packages, especially older packages, the malicious import was simply inserted into the file. setup.py where __init__.py. Instead of putting the import somewhere obvious, attackers hide it, making use of the semicolon rarely used in Python to insert malicious code into the same line of legitimate code. In conclusion, here is the exact way this supply chain attack is implemented:

  • Dozens of packages are actively launched on PyPI with harmless (some typographical) names that blatantly copy existing legitimate packages and try to sneak a small piece of malicious code into them;
  • Malicious code is a statement __import__ cache in files setup.pyAnd the __init__.py or in custom error classes. In either case, it contains the Base64 encoded string being executed. Sometimes, instead of directly importing into these files, it might just be a call os.system() which installs one of its other malicious packages;
  • Decoded, this Base64 encoded string contains a Python script written to a temporary file to be executed;
  • This temporary file contains code that accesses any number of URLs;
  • From each URL it pulls a little obfuscated Python code that implements a compressed byte object;
  • If unpacked, this byte object contains the W4SP Stealer malware spread on the system.
See also  The spirit of so much music is reignited in the documentary premiere

According to the researchers, at the time the report was published, the affected packages collectively accounted for more than 5,700 downloads. Note that some of these packages appear to be obvious attempts at typographical attacks like strings And the coloursama (who copies strings And the colorama), which together account for hundreds of millions of downloads per month). In August, Kaspersky Securelist researchers also analyzed PyPI malicious packets that were obfuscated by an open source tool called Hyperion and were detected spreading W4SP malware.

In addition, software developer and researcher Hauke ​​Lbbers has also identified PyPI packages pystile And the strings containing malware that calls itself gyrobeeb. However, the researcher believes that this malware is based on an open source project evil point Published “for educational purposes only”. This week’s development marks another incident in a series of typographical attacks targeting developers while exploiting open source software distribution platforms such as PyPI and npm. Here is a list of packages infected with W4SP that the researchers identified:

  1. Arithmetic
  2. coloursama
  3. coloroen
  4. Corlaby
  5. cypress
  6. duet
  7. common questions
  8. Fatnoob
  9. felpesviadinho
  10. iao
  11. incrivelsim
  12. installpy
  13. yes
  14. pydprotect
  15. Behents
  16. pyptext
  17. Bislet
  18. pystyle
  19. pystytus
  20. Berlep
  21. Requests – httpx
  22. chasigma
  23. stringer
  24. nervous
  25. sutiltype
  26. strings
  27. color type
  28. printing
  29. Species

source : Asylum

And you?

What do you think about the matter?
What do you think of the increase in typographical attacks?
Have you been a victim of this recently? If so, share your experience.
How do you think developers can protect themselves from such attacks?

See also

A collection of more than 200 malicious npm packages targeting developers using Microsoft Azure has been removed, two days after it was made publicly available.

See also  Chinese space station welcomes first crew

Malicious npm packages are part of the “surge” of malware hit repositories, and the packages’ popularity makes them ideal attack vectors

PyPI ‘keep’ package mistakenly included a password theft tool, admin inadvertently introduced a malicious dependency through a misspelling

PyPI: Python packages steal users’ AWS keys and send them to insecure publicly accessible sites, report says