New Delhi, August 9, 2022 - Researchers at Spectralops.io, a Check Point company, have detected ten malicious packages on PyPI, a repository of software for the Python programming language. Threat actors run malicious code on target machines by duping users through misleading names and descriptions of familiar packages. Installation of malicious packages enable threat actors to steal private data and personal credentials of developers. PyPI has over 609,020 active users, working on 388,565 projects, with 3,630,725 releases.

  • Researchers provide visual examples of malicious packages caught
  • Attacks rely on the fact that the Python installation process can include arbitrary code snippets
  • Researchers alerted PyPI whose later removed these packages

Researchers at Spectralops.io, a Check Point company, have detected ten malicious packages on PyPI, a repository of software for the Python programming language. The security threat allows malicious actors to run malicious code on target machines, enabling attackers to steal private data and personal credentials of developers. The threat actors would leverage misleading names and descriptions of familiar packages to dupe users into installation.  

PyPI helps developers find and install software developed and shared by other developers of this community. According to their own website, PyPI has over 609,020 active users, working on 388,565 projects, with 3,630,725 releases.

Attack Methodology 

To execute their attacks, cyber criminals will trick users into installing a malicious package by using misleading names and descriptions. As part of the installation script, the malicious packages execute a malicious act, such as stealing user credentials. The malicious code finishes by sending the credentials it steals elsewhere. Ultimately, users are not aware that all of this has just happened. 

Malicious Packages

Check Point Research (CPR) provides details on the packages they detected.

  • Ascii2text. The code was responsible for downloading and executing a malicious script that searches for local passwords and uploads them using a discord web hook.
  • Pyg-utils, Pymocks and PyProto2. As part of its setup.py installation, Pyg-utils connects to a malicious domain (pygrata.com) which could be an infrastructure for a phishing attack. Pymocks and PyProto2 interestingly have almost identical code which targets a different domain - pymocks.com.
  • Test-async. Described in its description as a ‘very cool test package that is extremely useful and that everyone needs 100%’. In its setup.py installation script it downloads and executes, probably malicious, code from the web. Interestingly, prior to downloading that snippet, it notifies a Discord channel that a ‘new run’ was started.
  • Free-net-vpn and Free-net-vpn2 are malicious packages which target environment variables. These secrets are then published to a site mapped by a dynamic DNS mapping service.
  • Zlibsrc, probably trying to confuse PyPI users with the popular Python built-in zlib package.
  • Browserdiv, steal the installers’ credentials and send them to a Discord web hook as part of the installation process.
  • WINRPCexpoit, describes itself as a ‘package to exploit windows RPC Vulnerability’ while the reality is, it just steals the installer’s credentials.

*Disclamier: "The pages slugged ‘Press Release’ are equivalent to advertisements and are not written and produced by Success Insights India Media journalists/Editorial." We do not hold any copyrights towards the content or image. Image source: Newswire