A new wave of zero-day attacks has been targeting PyPI packages. The developer of these malicious packages, dubbed Core1337, has published five packages to the public repository - all designed to launch specific attacks.

The malicious packages 

According to Fortinet researchers, all these malicious packages were published between January 27 to January 29.
  • While the packages had similar code, they had entirely different names such as hypixel-coins, 3m-promo-gen-api, httpxrequesterv2, Ai-Solver-gen, and httpxrequester.
  • Each of these packages had one single version uploaded to the repository, with no description of their functionalities.
  • These packages allow the attacker to execute malicious activities such as stealing sensitive information using webhooks on Discord via a single Python script.

All the malicious packages have similar code in the setup.py file, the only major difference between them is the webhook URL. Based on these URLs, it is suspected that the malicious activity is related to the Spidey Bot, a malware that abuses Discord for stealing information and spying.

Technical details

The malicious code comprises multiple programmatic functions (a programmatic sequence that perform specific tasks). Five important ones (getPassw, uploadToAnonfiles, Kiwi, KiwiFile, upload) are detailed below:
  • The getPassw function is used to gather credentials from popular web browsers, including Opera, Brave, Google Chrome, Yandex, and Microsoft Edge, and save them to a text file.
  • Functions uploadToAnonfiles, Kiwi, and KiwiFile scan specific folders on the hard drive for keywords related to logins, accounts, and banks.
  • The files matching the above search results are uploaded to the file-sharing site transfer[.]sh via the upload function.

Ending notes

The attacker created multiple packages with entirely different names, possibly to test some functionality or tactics. The lack of a common standard across online public repositories adds up to the risk of abuse by malicious adversaries. Thus, developers are suggested to stay extra cautious when downloading PyPI packages, especially those written by unknown authors and have no reviews.
Cyware Publisher

Publisher

Cyware