December 14, 2023 at 11:00AM
Cybersecurity researchers have found 116 malicious packages in the Python Package Index repository infecting Windows and Linux systems, targeting around 10,000 downloads since May 2023. Attackers employ various techniques to bundle malicious code, mainly aiming to compromise hosts with backdoor malware, including W4SP Stealer and clipper malware. Python developers are urged to thoroughly vet downloaded code.
Key takeaways from the meeting notes on the Newsroom Malware/Supply Chain Attack case are as follows:
– Cybersecurity researchers discovered 116 malicious packages on the Python Package Index (PyPI) repository designed to infect Windows and Linux systems with a custom backdoor.
– The packages have been estimated to have been downloaded over 10,000 times since May 2023.
– Threat actors used various techniques to embed malicious code into Python packages, including using test.py script, PowerShell in setup.py file, and obfuscated form in the __init__.py file.
– The primary goal of the campaign is to compromise the targeted host with malware, particularly a backdoor capable of remote command execution, data exfiltration, and taking screenshots.
– The attack chains can also result in the deployment of W4SP Stealer or a clipper malware designed to monitor clipboard activity and swap original wallet addresses with attacker-controlled addresses.
– This incident is the latest in a series of compromised Python packages used by attackers to distribute various types of malware for supply chain attacks.
Additionally, the meeting notes mentioned a related discovery of npm packages targeting an unnamed financial institution as part of an advanced adversary simulation exercise, which is linked to exfiltrating user credentials to a Microsoft Teams webhook.
The researchers advised Python developers to thoroughly vet the code they download before installing it on their systems, especially checking for the described techniques.
Finally, the meeting notes concluded with a call to action for readers to follow the source on Twitter and LinkedIn for more exclusive content.