On Monday, researchers from Check Point released a report detailing ten malicious packages that were being distributed on the Python Package Index (PyPI), the most widely used repository for Python packages. The packages have since been taken down. These packages abuse the setup.py component of the installation process for the package, which is normally used for staging the installer’s machine for successful installation. A summary of the offending packages is below:
- Ascii2text, a clone of the art package, targets passwords stored in browsers
- Pyg-utils, pymocks, and pyproto2 harvest AWS credentials
- Test-async downloads malicious code
- Free-net-vpn and Free-net-vpn2 harvest environment variables
- Zlibsrc downloads a malicious executable
- Browserdiv steals user credentials
- WINRPCexploit steals environment variables
Analyst Notes
Companies can protect themselves from software supply chain attacks such as these through a few methods. In dealing with credential stealing attacks, using dedicated development workstations can help reduce the amount of information attackers can gather. Additionally, these attacks relied on Discord for Command and Control (C2) communication and malware distribution, so blocking communication with Discord’s servers would prevent these and any other attacks that rely on Discord. More generally, developers should verify package functions prior to using them. Companies can maintain a list of verified packages and update as new packages are evaluated.
https://thehackernews.com/2022/08/10-credential-stealing-python-libraries.html
