A new malicious Python package named “pytoileur” has been discovered on the Python Package Index (PyPI) repository [1] [2] [3], raising concerns about cybersecurity threats to developers globally.


The package [1] [2] [3] [4] [5] [6] [7], uploaded by the author PhilipsPY, was flagged for containing code designed to facilitate cryptocurrency theft. After its removal by PyPI maintainers, a new version (1.0.2) was uploaded. The malicious code in the setup file executes a base64-encoded payload to retrieve a Windows binary called “Runtime.exe,” which is then run using Windows PowerShell and VBScript commands [1] [4]. The binary establishes persistence [1] [4], drops additional payloads [1], and can gather data from web browsers and cryptocurrency services [1] [3]. Sonatype identified a StackOverflow account promoting the package [1] [3], suggesting a coordinated campaign by threat actors [3]. This discovery is part of a larger campaign involving other malicious packages like “gpt-requests” and “pyefflorer,” all using similar base64 encoding techniques to conceal malicious payloads [2] [6]. One of these packages, “lalalaopti,” contained modules for clipboard hijacking [2] [6], keylogging [2] [4] [6], and remote webcam access [2] [4] [6]. The threat actors are targeting developers in AI, machine learning [2] [4] [5] [6], and popular Python frameworks like Pyston [6]. The abuse of a credible platform as a malware propagation vector is concerning for developers globally [1]. The package metadata and authorship history show overlaps with prior campaigns involving bogus Python packages like Pystob and Pywool [1] [3], highlighting the ongoing threat posed by supply chain attacks in open-source ecosystems [1].


This discovery underscores the importance of cybersecurity measures to safeguard developers from counterfeit components and emerging threats. To mitigate the risk of similar attacks [7], users are advised to verify package authenticity [7], utilize security tools to detect and block malicious packages [7], and stay informed with the latest security advisories [7].


[1] https://www.443news.com/2024/05/cybercriminals-abuse-stackoverflow-to-promote-malicious-python-package/
[2] https://ciso2ciso.com/new-pypi-malware-pytoileur-steals-crypto-and-evades-detection-source-www-infosecurity-magazine-com/
[3] https://neznew.com/cybercriminals-exploit-stackoverflow-to-promote-malicious-python-packages/
[4] https://www.sonatype.com/blog/pypi-crypto-stealer-targets-windows-users-revives-malware-campaign
[5] https://cyberinsider.com/malicious-pypi-package-promoted-on-stackoverflow-spreads-malware/
[6] https://www.infosecurity-magazine.com/news/pypi-malware-pytoileur-steals/
[7] https://securityboulevard.com/2024/05/malicious-pypi-package-pytoileur-targets-windows-and-leverages-stack-overflow-for-distribution/