January 29, 2024 at 01:03AM
Cybersecurity researchers have detected malicious packages on the PyPI repository containing a data-stealing malware, WhiteSnake Stealer, targeting Windows and Linux systems. The packages, uploaded by a threat actor named “WS,” incorporate encoded source code and aim to exfiltrate sensitive data and crypto wallet information. This discovery highlights the threat of info-stealing malware disseminated into open-source libraries.
Based on the meeting notes, the key takeaway is that cybersecurity researchers have identified malicious packages on the open-source Python Package Index (PyPI) repository that are delivering an information-stealing malware called WhiteSnake Stealer on Windows systems. The malicious packages have been uploaded by a threat actor named “WS” and incorporate Base64-encoded source code of PE or other Python scripts within their setup.py files. The final malicious payload is dropped and executed when these Python packages are installed, depending on the victim devices’ operating system. The malware targets both Windows and Linux systems, with specific payloads tailored to each system. Additionally, the malware is designed to steal information from web browsers, cryptocurrency wallets, and various applications. The threat actor behind this campaign is tracked under the moniker PYTA31, and the end goal is to exfiltrate sensitive and particularly crypto wallet data from the target machines. This discovery underscores the ability of a single malware author to disseminate numerous info-stealing malware packages into the PyPI library over time, each featuring distinct payload intricacies.