1 min read

Supply Chain Attack Detected in PyPI Library

Silviu STAHIE

August 02, 2021

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Supply Chain Attack Detected in PyPI Library

Supply Chain Attack Detected in PyPI Library

Security researchers have discovered numerous Python packages hiding in the PyPI library, likely planted there by criminals looking for victims who might have fallen prey to a supply chain attack.

Software repositories make good targets in supply chain attacks because the potential victims would not be as suspicious. When users download a library or an application from an official source or even a trusted third-party repository, they don’t expect to get infected. Unfortunately, it happens quite often, which is even more reason to use a security solution.

The assumption that a repository is secure would not make a safe bet, as the researchers from JFrog found out.

“We are now reporting several Python packages hosted on PyPI as malicious,” said the JFrog team. “We have alerted PyPI about the existence of the malicious packages which promptly removed them. Based on data from pepy.tech, we estimate the malicious packages were downloaded about 30,000 times.”

The list of packages detected as malware:

Package name

Maintainer

Payload

noblesse

xin1111

Discord token stealer, Credit card stealer (Windows-based)

genesisbot

xin1111

Same as noblesse

are

xin1111

Same as noblesse

suffer

Suffer

Same as noblesse , obfuscated by PyArmor

noblesse2

Suffer

Same as noblesse

noblessev2

Suffer

Same as noblesse

pytagora

leonora123

Remote code injection

pytagora2

leonora123

Same as pytagora

The packages hid various functionalities, such as a credit card stealer and code injection. Leaving aside the direct effects of the malware, the attackers would have been able to deploy other tools, if necessary. The packages also used several forms of obfuscation, some more complex than others, in an attempt to avoid detection.

“Lack of moderation and automated security controls in public software repositories allow even inexperienced attackers to use them as a platform to spread malware, whether through typosquatting, dependency confusion, or simple social engineering attacks,” the researchers said.

Unfortunately, it’s difficult to determine the real-world impact of these tools, but given the number of downloads in this scheme, it stands to reason that the attackers likely compromised at least some systems belonging to the people who downloaded the packages.

tags


Author


Silviu STAHIE

Silviu is a seasoned writer who followed the technology world for almost two decades, covering topics ranging from software to hardware and everything in between.

View all posts

You might also like

Bookmarks


loader