The Python Package Index (PyPI) has suspended new project creation and user registration to mitigate an ongoing malware upload campaign. This move comes as security researchers at Checkmarx uncovered a campaign involving multiple malicious packages related to the same threat actors.
The attackers are targeting victims through typosquatting attacks, tricking users into installing malicious Python packages through their command-line interface. This multi-stage attack aims to steal cryptocurrency wallets, sensitive browser data such as cookies and extension data, and various credentials.
The malicious payload also employs a persistence mechanism to survive system reboots, ensuring continued access to compromised machines.
Malicious typosquatting packages
Between 27-28 March 2024, several malicious Python packages were uploaded to PyPI—likely using automation tools. These packages contained malicious code within their setup.py files, enabling automatic execution upon installation.
The setup.py files contained obfuscated and encrypted code using the Fernet encryption module. Upon installation, this code would execute, triggering the retrieval of an additional payload from a remote server. The payload URL was dynamically constructed by appending the package name as a query parameter.
Once decrypted, the retrieved payload revealed an extensive info-stealer designed to harvest sensitive information from the victim’s machine, including cryptocurrency wallets, browser data, and credentials.
In response to the malware campaign, PyPI has temporarily suspended new project creation and new user registration. This measure aims to mitigate the ongoing threat while the organisation investigates and addresses the issue.
You can find a full list of the packages uncovered by Checkmarx here.
(Photo by David Clode on Unsplash)
See also: GitHub’s code scanning autofix enters public beta
Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London. The comprehensive event is co-located with other leading events including BlockX, Digital Transformation Week, IoT Tech Expo and AI & Big Data Expo.
Explore other upcoming enterprise technology events and webinars powered by TechForge here.