November 17, 2023 at 06:00AM
An unidentified threat actor has been uploading malware-laden fake Python libraries to the PyPI repository for the past six months. Disguised as legitimate packages, these 27 libraries have attracted thousands of downloads from various countries. The attacker used steganography to hide malicious payloads within innocent-looking image files. The packages included malicious references to other packages that deployed Visual Basic Script to achieve persistence and extract sensitive information. In another attack chain, the attacker hid executable code within a PNG image. This campaign serves as a reminder of the ongoing threats in the digital landscape, especially in areas involving the open exchange of code. Meanwhile, protestware npm packages have been found broadcasting peace-related messages regarding conflicts in Ukraine and Israel. The presence of secrets in open-source packages also poses significant risks, with numerous instances of credentials being exposed. To address these issues, the U.S. government has issued new guidance for software developers and suppliers to ensure software security.
Key takeaways from the meeting notes are as follows:
1. An unknown threat actor has been publishing typosquat packages on the Python Package Index (PyPI) repository for six months to deliver malware and gain financial gain through persistence, sensitive data theft, and accessing cryptocurrency wallets.
2. These malicious packages masquerade as popular Python libraries and have attracted thousands of downloads, primarily from the U.S., China, France, Hong Kong, Germany, Russia, Ireland, Singapore, the U.K., and Japan.
3. The attack utilized steganography to hide malicious payloads within innocent-looking image files, making it more stealthy.
4. Pyefflorer, pyminor, pyowler, pystallerer, pystob, and pywool are some of the packages identified in the attack.
5. The packages use the setup.py script to reference other malicious packages (pystob and pywool) that deploy a Visual Basic Script (VBScript) to achieve persistence and execute a file named “Runtime.exe” that gathers information from web browsers, cryptocurrency wallets, and other applications.
6. An alternate attack chain involves hiding the executable code within a PNG image (“uwu.png”) to extract the public IP address and the universally unique identifier (UUID) of the affected system.
7. Pystob and Pywool were disguised as tools for API management but exfiltrated data to a Discord webhook and attempted to maintain persistence by placing a VBS file in the Windows startup folder.
8. ReversingLabs discovered a wave of protestware npm packages that broadcast messages related to conflicts in Ukraine and Israel.
9. These packages, such as @snyk/sweater-comb and e2eakarev, determine the host’s geographic location and display messages criticizing actions related to those locations.
10. GitGuardian revealed the presence of 3,938 unique secrets across PyPI projects, including AWS keys, Azure Active Directory API keys, GitHub OAuth app keys, and credentials associated with various services.
11. Many of these leaked secrets were found multiple times across multiple release versions, totaling 56,866 occurrences.
12. Exposing secrets in open-source packages poses significant risks, such as unauthorized access and social engineering attacks.
13. The U.S. government has issued new guidance for software developers and suppliers to improve software security and raise awareness about software supply chain risks.