Dozens of malicious PyPI packages targeting developers have been discovered, and these packages contain “W4SP” malware that allegedly steals user data

The Asylum researchers report that the affected packages are typos, i.e. actors threatening to publish them on purpose call them similar to legitimate Python libraries, hoping that developers trying to fetch the real library will make a misspelling and inadvertently fetch one. malicious packages. Like previous attempts, this particular attack starts with copying existing popular libraries and injecting a statement __import__ Malware in an otherwise sane code base.

According to the researchers, the advantage of setting up an attack based on copies of an existing legitimate package is that because the package’s home page in the PyPI repository is generated from setup.py And the README.mdIt immediately has a proper homepage with links that work most of the time and everything else. The image above shows the main page of the malicious package’s PyPI Species. You can see that the hacker simply copied the package date and time 2 It made some minor tweaks to make the script consistent with the fake package name it was released with.

“Unless it is closely examined, a quick look at it may lead one to believe that it is a legitimate package as well,” the researchers say. In the report, the researchers detailed the difficulties they encountered while analyzing the obfuscated code of more than 71,000 characters, a “hell of a lot of slime” they had to wade through. In the end, they concluded that the malware distributed by these packages was W4SP Stealer. It is indeed an information theft malware that steals Discord codes, cookies, and saved passwords.

The report notes that in the majority of packages, especially older packages, the malicious import was simply inserted into the file. setup.py where __init__.py. Instead of putting the import somewhere obvious, attackers hide it, making use of the semicolon rarely used in Python to insert malicious code into the same line of legitimate code. In conclusion, here is the exact way this supply chain attack is implemented:

• Dozens of packages are actively launched on PyPI with harmless (some typographical) names that blatantly copy existing legitimate packages and try to sneak a small piece of malicious code into them;
• Malicious code is a statement __import__ cache in files setup.pyAnd the __init__.py or in custom error classes. In either case, it contains the Base64 encoded string being executed. Sometimes, instead of directly importing into these files, it might just be a call os.system() which installs one of its other malicious packages;
• Decoded, this Base64 encoded string contains a Python script written to a temporary file to be executed;
• This temporary file contains code that accesses any number of URLs;
• From each URL it pulls a little obfuscated Python code that implements a compressed byte object;
• If unpacked, this byte object contains the W4SP Stealer malware spread on the system.

According to the researchers, at the time the report was published, the affected packages collectively accounted for more than 5,700 downloads. Note that some of these packages appear to be obvious attempts at typographical attacks like strings And the coloursama (who copies strings And the colorama), which together account for hundreds of millions of downloads per month). In August, Kaspersky Securelist researchers also analyzed PyPI malicious packets that were obfuscated by an open source tool called Hyperion and were detected spreading W4SP malware.

In addition, software developer and researcher Hauke ​​Lbbers has also identified PyPI packages pystile And the strings containing malware that calls itself gyrobeeb. However, the researcher believes that this malware is based on an open source project evil point Published “for educational purposes only”. This week’s development marks another incident in a series of typographical attacks targeting developers while exploiting open source software distribution platforms such as PyPI and npm. Here is a list of packages infected with W4SP that the researchers identified:

1. Arithmetic
2. coloursama
3. coloroen
4. Corlaby
5. cypress
6. duet
7. common questions
8. Fatnoob
9. felpesviadinho
10. iao
11. incrivelsim
12. installpy
13. yes
14. pydprotect
15. Behents
16. pyptext
17. Bislet
18. pystyle
19. pystytus
20. Berlep
21. Requests – httpx
22. chasigma
23. stringer
24. nervous
25. sutiltype
26. strings
27. color type
28. printing
29. Species

source : Asylum

And you?

What do you think about the matter?
What do you think of the increase in typographical attacks?
Have you been a victim of this recently? If so, share your experience.
How do you think developers can protect themselves from such attacks?

See also

A collection of more than 200 malicious npm packages targeting developers using Microsoft Azure has been removed, two days after it was made publicly available.

Malicious npm packages are part of the “surge” of malware hit repositories, and the packages’ popularity makes them ideal attack vectors

PyPI ‘keep’ package mistakenly included a password theft tool, admin inadvertently introduced a malicious dependency through a misspelling

PyPI: Python packages steal users’ AWS keys and send them to insecure publicly accessible sites, report says