November 22, 2024 at 01:58AM
Researchers found two malicious packages on PyPI, impersonating AI models to deploy the JarkaStealer malware. Uploaded in November 2023, the packages had 1,748 and 1,826 downloads, respectively. They revealed risks of supply chain attacks, emphasizing caution when using open-source components in development. The packages are now unavailable for download.
### Meeting Takeaways – Nov 22, 2024
**Topic:** Cybersecurity Threat from Malicious Python Packages
1. **Discovery of Malicious Packages:**
– Two packages, **gptplus** and **claudeai-eng**, were found on the Python Package Index (PyPI) that impersonated popular AI models (OpenAI ChatGPT and Anthropic Claude).
– These packages were uploaded by a user named “Xeroline” in November 2023 and have been downloaded 1,748 and 1,826 times, respectively. Both are now removed from PyPI.
2. **Nature of the Threat:**
– The packages contained malware known as **JarkaStealer**, an information stealer that collects sensitive data from users’ systems.
– The malicious code initiated during installation and specifically included Base64-encoded instructions in the `__init__.py` file to download a Java archive file and the Java Runtime Environment (if not already present).
3. **Capabilities of JarkaStealer:**
– Can harvest a wide variety of sensitive information, including:
– Web browser data
– System data
– Screenshots
– Session tokens from applications (e.g., Telegram, Discord, Steam)
– Once collected, the data is transmitted to the attacker’s server and deleted from the victim’s machine.
4. **MaaS Offering:**
– JarkaStealer is reportedly available via a malware-as-a-service (MaaS) model on Telegram, priced between $20 and $50. Its source code has been leaked on GitHub.
5. **Geographical Impact**:
– Downloads primarily occurred from users in the U.S., China, India, France, Germany, and Russia, indicating a wide reach as part of a prolonged supply chain attack campaign.
6. **Key Points from Experts:**
– Kaspersky researcher Leonid Bezvershenko emphasized the ongoing risks associated with software supply chain attacks.
– The event highlights the crucial importance of being vigilant when utilizing open-source components in software development.
To ensure safety and mitigate risks in future development processes, enhanced scrutiny and verification of open-source downloads are recommended.