Hundreds of malicious PyPI packages are spreading havoc online
>
A recent malware campaign that used PyPI to steal people’s cryptocurrency is not only still active, but has expanded significantly over the past three months.
According to a new report from cybersecurity researchers Phylum, the threat actors are said to create malicious Python packages and upload them to PyPI, the programming language’s largest code repository.
developers (opens in new tab) would then download these packages to speed up the development process, effectively putting themselves and anyone using their products at risk.
PyPl typosquatting
The threat actors would engage in typosquatting – a technique where the malicious package has a name nearly identical to a legitimate package, differing in just one letter or symbol. That way, the developers who mistype the name while searching for specific packages can unknowingly infect their products. Furthermore, if they search for packages and find several with similar names, they may not have the time or patience to analyze them thoroughly.
When this campaign was first spotted in 2022, the researchers found exactly 27 packages – but this number has now swelled to 451. The attackers are said to be mimicking some of the more popular packages, each of which is said to have between 13 and 38 typosquatted versions.
Those who download the malicious package may have their cryptocurrency stolen. The malware would install an add-on for some of the most popular browsers (Chrome, Edge, Brave, Opera), which would check the clipboard for cryptocurrency addresses. If one is found, it will be replaced with another address that is hard-coded into the add-on during pasting.
The idea is that people don’t memorize crypto wallets, but rather copy and paste them when sending money. Wallet addresses are a long string of random characters, making it virtually impossible to remember one. It also means that when copying and pasting an address, the address can be swapped relatively easily, without the victim noticing (unless they inspect both addresses to make sure they are identical, which is a recommended best practice) .
Users who are not careful can easily lose all of their cryptos in a transaction that cannot be reversed (unless it was sent to a third party such as an exchange, which is highly unlikely).
Through: Beeping computer (opens in new tab)