Researchers at Checkmarx have discovered a sophisticated campaign in which attackers built credibility within the Python Package Index (PyPI) community to spread crypto-draining, data-stealing malware.
Over a month ago, the attackers uploaded a number of non-malicious Python packages, such as ‘spl-types’, via the StackExchange Q&A website to build credibility and evade detection for a future attack.
Just over a week later, the attackers released malicious versions of the packages, which contained obfuscated malware in the ‘init.py’ file.
PyPI social hacking?
By first gaining the trust of the community, the hackers were able to install auto-executable malware to compromise the systems of unsuspecting victims, steal data, and empty cryptocurrency wallets.
The attackers posted seemingly helpful answers on popular StackExchange threads and directed users to their malicious package by abusing the trust inherent to these platforms.
A backdoor component gave the attackers persistent remote access, allowing for long-term exploitation and larger crypto wallet drains. The attack primarily targeted those involved with Raydium and Solana cryptocurrencies.
In addition to draining wallets, the malware also collected sensitive data such as browsing history, saved passwords, cookies, and credit card details. It also targeted messaging apps such as Telegram and Signal to take screenshots and search for files with specific keywords related to cryptocurrency and sensitive data.
Given the socially manipulative element of the attack, the researchers stress the importance of verifying the authenticity of software packages and remaining vigilant for potentially malicious forum content.
In addition, basic cybersecurity measures such as not downloading unknown content, securing online accounts with strong passwords and two-factor authentication, and keeping software up to date are essential steps in the fight against the spread of malware.