In early August, the research team at ReversingLabs came across a malicious supply chain campaign that included 24 harmful Python packages called VMConnect. The team has associated the campaign with three very common open-source Python tools.

Diving into details

The researchers have observed that the operators behind this campaign go to great lengths to create an illusion of authenticity in their activities. They set up GitHub repositories with descriptions that appear genuine and even use legitimate source code.
  • The latest packages identified include 'tablediter' (with 736 downloads), 'request-plus' (with 43 downloads), and 'requestspro' (with 341 downloads).
  • Among these newly discovered packages, the first one seems to masquerade as a utility for table editing, while the other two impersonate the widely-used 'requests' Python library, which is employed for making HTTP requests.

Attribution

  • While ReversingLabs could not definitively attribute this campaign to a specific threat actor, Crowdstrike's analysts confidently attributed the malware to Labyrinth Chollima, a subgroup within the Lazarus Group, a North Korean state-sponsored threat group.
  • In addition to the above, JPCERT/CC linked the attack to DangerousPassword, another Lazarus Group subsidiary.
  • Considering these attributions and the notable code similarities between the packages found in the VMConnect campaign and those described in JPCERT/CC's research, it has been concluded that the same threat actor is responsible for both attacks. 

The bottom line

This VMConnect campaign represents yet another instance of malicious assaults aimed at PyPI repository users. To protect against such threats, organizations must invest in training and awareness against typosquatting and other impersonation attacks and bolster their defenses.
Cyware Publisher

Publisher

Cyware