PyPI suspends registrations amid malware attack

About the Author

By | https://twitter.com/gadget_ry

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)

The Python Package Index (PyPI) has suspended new project creation and user registration to mitigate an ongoing malware upload campaign. This move comes as security researchers at Checkmarx uncovered a campaign involving multiple malicious packages related to the same threat actors.

The attackers are targeting victims through typosquatting attacks, tricking users into installing malicious Python packages through their command-line interface. This multi-stage attack aims to steal cryptocurrency wallets, sensitive browser data such as cookies and extension data, and various credentials.

The malicious payload also employs a persistence mechanism to survive system reboots, ensuring continued access to compromised machines.

Malicious typosquatting packages

Between 27-28 March 2024, several malicious Python packages were uploaded to PyPI—likely using automation tools. These packages contained malicious code within their setup.py files, enabling automatic execution upon installation.

The setup.py files contained obfuscated and encrypted code using the Fernet encryption module. Upon installation, this code would execute, triggering the retrieval of an additional payload from a remote server. The payload URL was dynamically constructed by appending the package name as a query parameter.

Once decrypted, the retrieved payload revealed an extensive info-stealer designed to harvest sensitive information from the victim’s machine, including cryptocurrency wallets, browser data, and credentials.

In response to the malware campaign, PyPI has temporarily suspended new project creation and new user registration. This measure aims to mitigate the ongoing threat while the organisation investigates and addresses the issue.

You can find a full list of the packages uncovered by Checkmarx here.

(Photo by David Clode on Unsplash)

See also: GitHub’s code scanning autofix enters public beta

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.

Tags: , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *