A recent trend uncovered by Checkmarx on TikTok involves the usage of an “Invisible Body” filter that requires users to be in a state of undress in order to have their bodies removed from the image and replaced with a blur. In response, threat actors created their own TikTok videos claiming to have created a program that would allow users to remove the Invisible Body filter with a link to a GitHub repository. Rather than the promised software, the repository contains a malware installer. The installation instructions instruct users to execute the included “.bat” file, which installs a malicious Python package from PyPI that contains the WASP stealer malware.
The malicious packages are actively being reported and removed from PyPI, but continue to be re-uploaded under new names and accounts. The PyPI packages used by the threat actors employ a technique called “StarJacking” in which they link their malicious PyPI package to popular GitHub repositories. This causes the PyPI package web page to display the statistics of a legitimate GitHub repository, giving the malicious PyPI package the appearance of legitimacy. At this time, the GitHub repository containing the malware installer is still active but has been renamed from “TikTok unfilter” to “Nitro generator”.