Malware Campaign Targets Official Python and JavaScript Repos

If you've ever learnt to code, you must have probably come across one of these two languages, Python and JavaScript. Developers use the most popular languages of today across the globe. The fact that makes these languages so advanced and developer-friendly is their packages. PyPI and NPM are used in Python and JavaScript, respectively. Both these languages offer numerous inbuilt packages for the ease of the developers. These packages are pre-coded, have a single function to adhere to, and can be used as per your convenience just by one single command. However, in recent events, let us shed light on how a malware threat has targeted these packages.

PyPI, managed by the Python Software Foundation, is the most extensive code library for the Python programming language. More than 350,000 separate software programs are hosted there. Meanwhile, NPM is the largest JavaScript repository with over a million available packages. Unfortunately, malware authors are launching a campaign against the Python Package Index (PyPI) and the npm repository for Python and JavaScript by distributing typo-squatted and false modules that, when installed, deliver a ransomware strain.

An Ongoing Attack Against Python and Javascript Developers

Updated December 09: "This actor is now active in NPM and has begun publishing packages there as well." says Phylum.

Typosquatting, a sort of cyberattack in which malware is delivered from a file with a similar name to a popular and legal piece of code, was used by the criminals to trick their victims into downloading the virus. In this case, the hackers are creating files with nearly identical names to the Python Requests package on PyPI.

According to a blog post published by Phylum, depending on the target system's OS and CPU architecture, the malicious packages would download a different Golang-based ransomware file from a remote server. Python packages dequests, fequests, gequests, rdquests, reauests, reduests, reeuests, reqhests, reqkests, requesfs, requesta, requeste, requestw, requfsts, resuests, rewuests, rfquests, rrquests, rwquests, telnserv.

If successful, the attack begins by encrypting information and replacing the victim's desktop backdrop with an actor-controlled image purporting to be from the Central Intelligence Agency (CIA). Then, the attackers demand $100 in cryptocurrency as payment for the ordeal.

The attacker now active in NPM

The threat actor has targeted PyPI and released five modules in npm (discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr). In each of these, you'll find the JavaScript analogues of the Python code examples given above:

The threat actor has not just targeted PyPI; they have also released five modules in npm (discordallintsbot, discordselfbot16, discord-all-intents-bot, discors.jd, and telnservrr). In each of these, you'll find the JavaScript analogues of the Python code.

As part of a continuing supply chain attack that likely began around September 25, 2022, researchers from Reversing Labs found 10 PyPI packages earlier this month that were delivering updated variants of W4SP Stealer malware.

It can steal information from several programs, including Telegram and Discord tokens, cryptocurrency wallets, and even cookies. In addition, an Israeli software supply chain security firm called Legit Security demonstrated a novel attack approach against a Rust repository around the same time, involving abusing GitHub Actions to taint otherwise legitimate artifacts.

Attackers might have accesses to sensitive data distribute extra payloads to every downstream user by substituting trojanized modules for the original ones.

Effective utilization of this loophole would allow an attacker to mislead the GitHub web application into running a malicious artefact. In addition, intruders might alter features like new releases, bug fixes, and code changes on existing branches. But as on September 26, 2022, the problem has been fixed.

December 13, 2022 Update: Attack continues

Update December 13: "Malware author continues to publish packages to PyPI. We identified these packages within 20m of publication and got them removed." says Phylum.

The attacker has not stopped distributing malicious packages to PyPI. Therefore, the most recent updates are now included in the above list, although the second phase is being fetched from 34.94.72.179.

A new version of the ransomware appears to have been developed by the attacker, and the list of supported platforms has been narrowed.

Conclusion

As it turns out, malware infecting electronics is nothing new. Circumstances like this occur frequently. However, like with any technology, ransomware eventually becomes obsolete. But this does leave us with the sobering realization that technology also has its downsides. Today, everyone has access to the most cutting-edge technology, and their actions may affect the lives of millions of others. The first step in data protection is to keep your system secure by never going to suspicious websites or clicking on unknown links in online content.