A malicious campaign has been found targeting the Python Package Index (PyPI) repository. Six malicious packages have been distributing information stealers on developer PCs. Between December 22 and December 31, 2022, Phylum found the now-removed packages, which included pyrologin, disorder, easytimestamp, style.py, discord-dev, and pythonstyles. Running a “pip install” command activated the malware deployment process, meaning the malicious code is concealed in the setup script (setup.py) of these libraries. The malware launches a PowerShell script that retrieves a ZIP archive file, installs invasive dependencies such as pydirectinput, pynput, and pyscreenshot, and runs a Visual Basic Script extracted from the archive to deliver more PowerShell code. “These libraries allow one to control and monitor mouse and keyboard input and capture screen contents,” reads a technical report from Phylum. The malicious software can also gather data from Google Chrome, Microsoft Edge, Mozilla Firefox, Opera, Brave, Opera GX, and Vivaldi browsers, including cookies, saved passwords, and cryptocurrency wallet information. However, the attack also tries to download and install cloudflared, a command-line tool for Cloudflare Tunnel, which provides a “secure way to connect your resources to Cloudflare without a publicly routable IP address.”
Watch the Video
How does Binary Defense help protect your organization? With best in breed cybersecurity tactics, techniques, and services, we make sure that your environment is secure against the most advanced attacks.