The PyPI repository is being bombarded by a wave of information-stealing malware. Threat actors are hiding these malware inside packages uploaded to the platform to launch supply chain attacks and steal sensitive data from developers.
What happened?
Researchers shared details of a new campaign that was used to deploy new stealer variants via PyPI packages to harvest software developers’ data.
These malware variants borrowed the base code from W4SP stealer and were dropped under different names such as Celestial Stealer, ANGEL stealer, Satan Stealer, @Skid Stealer, and Leaf $tealer.
Experts highlighted that 10 different stealer variants were observed being distributed via 16 packages that were downloaded more than a hundred times.
Some of the infected packages were modulesecurity, informodule, chazz, randomtime, easycordey, tomproxies, infosys, nowsys, captchaboy.
It is unclear if the newly found malware clones are operated by the same threat actors behind W4SP, however, it is believed that the attacks are from different groups attempting to mimic previous campaigns.
W4SP being used in targeted attacks
Last week, researchers discovered over two dozen Python packages on the PyPI registry pushing W4SP stealer on infected computers.
These packages mimicked popular libraries to hide their original identity and launched malware that exfiltrated Discord tokens, cookies, and saved passwords.
These packages were downloaded over 5,700 times before they were removed from the repository.
PyPI remains a lucrative target
Recently, a malicious package masquerading as SentinelOne SDK was uploaded to the repository, as part of a campaign dubbed SentinelSneak.
The package was pushed along with two dozen versions using similar names, which dropped a malicious backdoor to amass sensitive information such as credentials, SSH keys, and configuration data from systems.
In another attack, a bunch of malicious PyPI packages were used in a typosquatting campaign to launch DDoS attacks against Counter-Strike servers.
The repository was also abused in different campaigns to drop cryptominers on Linux machines and steal AWS credentials from systems.
Closing lines
The findings illustrate that hackers sense an opportunity for even larger attacks by targeting open-source package repositories. Developers andsecurity across organizations need to be careful as hackers will continue to evolve their attack tactics and use different names and accounts for malicious packages to expand these types of attacks.