It’s been a while since we heard about malware hiding in PyPI packages, but researchers have now reported nearly a dozen of them lurking in the open source Python Package Index (PyPI) repository.
Cybersecurity researchers at Fortinet’s FortiGuard Labs have found nine packages that deliver the WhiteSnake Stealer. The packages are called nigpal, figflix, telerer, seGMM, fbdebug, sGMM, myGens, NewGends and TestLibs111. WhiteSnake is a Windows infostealer that can bypass antivirus programs and communicates with the C2 server via the Tor protocol, the researchers explain.
Its main function is to steal information from the compromised endpoints and execute various commands. The information it’s looking for mainly consists of data from web browsers, cryptocurrency wallets and browser add-ons, and major apps like Discord, Signal, Telegram, and the like.
Eyes on cryptos
It was also observed that some packages contain a more advanced version of the malware, which also comes with a clipboard monitor and an overwrite function. This feature is designed to help with cryptocurrency theft, as people who want to send their tokens from one address to another will almost always copy and paste the receiving address, rather than typing it out. This malware allows the attackers to replace the copied wallet address with one that belongs to them, allowing the victim to send the funds to the wrong address.
PyPI is one of the world’s largest and most popular Python package repositories. As such, it is a frequent target of threat actors who usually do one of two things: either create a malicious package from scratch, or engage in typosquatting – creating a package that looks like a legitimate package, and naming it almost exactly the same. That way, developers can accidentally install the malicious version.
Developers are urged to be vigilant when using PyPI and similar services and always ensure they download a legitimate package. They should keep an eye out for strange typos, inconsistent download numbers, and user reviews.
Through The hacker news