Discovery of 116 Malicious Packages on PyPI Targeting Windows and Linux Systems
Cybersecurity experts unearthed 116 malicious packages within the Python Package Index (PyPI), specifically engineered to infiltrate Windows and Linux systems through a custom backdoor.
In a recent report, ESET researchers Marc-Etienne M. Léveillé and Rene Holt detailed that some of these packages deploy the notorious W4SP Stealer or a simple cryptocurrency-stealing clipboard monitor, or both, as their final payloads.
These packages have been downloaded over 10,000 times since May 2023. The threat actors responsible for this campaign employ various methods to insert malicious code into Python packages, utilizing techniques like test.py scripts, embedding PowerShell in setup.py files, or obfuscating code within init.py files.
Regardless of the method, the ultimate aim remains to compromise targeted systems with malware, particularly a backdoor capable of remote control, data theft, and screen capturing. This backdoor is coded in Python for Windows and in Go for Linux.
Additionally, the attack sequences may also result in deploying W4SP Stealer or a clipper malware, monitoring and potentially altering cryptocurrency wallet addresses in victims' clipboards.
领英推荐
This discovery marks the latest instance of compromised Python packages that malicious actors have utilized to disseminate diverse malware types, aiming at supply chain attacks. It aligns with previous findings by ESET in May 2023, exposing libraries engineered to spread Sordeal Stealer, a variant resembling W4SP Stealer.
The researchers cautioned Python developers to meticulously inspect the code they download, particularly watching for these specific techniques, before installation.
This revelation follows the revelation of npm packages targeting an undisclosed financial institution in an "advanced adversary simulation exercise." These modules, housing an encrypted payload, were identified by software security firm Phylum for exfiltrating user credentials to an internal Microsoft Teams webhook within the targeted organization, the specifics of which have been withheld for security reasons."
For Further Reference