ESET Research has recently discovered a cluster of 116 malicious Python packages on the Python Package Index (PyPI) repository. These packages have been downloaded over 10,000 times since May 2023 and are specifically designed to infect both Windows and Linux systems with a custom backdoor.

Description

The threat actors behind this activity employ various techniques to bundle malicious code into Python packages [1] [3] [4]. They utilize a test.py script, embed PowerShell in the setup.py file [3] [4], and incorporate obfuscated code in the init.py file [3]. Their ultimate objective is to compromise targeted hosts with malware [3], primarily a backdoor that enables remote command execution [3] [4], data exfiltration [1] [3] [4], and the ability to capture screenshots.

The backdoor module is implemented in Python for Windows and in Go for Linux [3] [4]. In addition, the attackers may also deploy the W4SP Stealer or a clipper malware to monitor clipboard activity and replace wallet addresses with addresses controlled by the attackers [3]. Python developers should thoroughly vet the code they download and familiarize themselves with these techniques before installing it on their systems [3].

This discovery is part of a larger trend where compromised Python packages are being utilized to distribute various types of malware for supply chain attacks [3]. Furthermore, in May 2023 [1] [2] [3] [4], another cluster of packages was identified on PyPI that delivered malware specifically designed for stealing passwords and cryptocurrency [2].

Conclusion

It is crucial for Python developers to exercise caution and diligence when downloading and installing code from PyPI. By thoroughly vetting the code and familiarizing themselves with the techniques employed by threat actors, developers can mitigate the risk of compromising their systems. This discovery highlights the ongoing trend of using compromised Python packages for supply chain attacks, emphasizing the need for increased security measures and awareness within the Python development community.

References

[1] https://thehackernews.com/2023/12/116-malware-packages-found-on-pypi.html
[2] http://blog.cadre.net/it-security-newsletter/12-13-2023
[3] https://ciso2ciso.com/116-malware-packages-found-on-pypi-repository-infecting-windows-and-linux-systems-sourcethehackernews-com/
[4] https://droidtuto.com/116-packages-de-logiciels-malveillants-trouves-sur-le-referentiel-pypi-infectant-les-systemes-windows-et-linux/