10 malicious Python packages detected in the latest repository attack

Researchers discovered another A set of malicious packages in PyPi, the official and most popular repository of Python programs and code libraries. Those scammed by seemingly familiar packages could be exposed to downloading malware or stealing user credentials and passwords.

Check point search, which He reported his findings on Monday, wrote that he did not know how many people had downloaded the 10 packages, but noted that PyPi has 613,000 active users, and its code is used in more than 390,000 projects. Installing from PyPi via a file pip The command is an essential step for starting or setting up many Python projects. babya site that estimates Python project downloads, reports that most malicious packages have seen hundreds of downloads.

Such as Supply Chain Attacks It is becoming increasingly popular, especially among open source software repositories that support a wide range of software in the world. The Python repository is a frequent target, as researchers find malicious packages in files September 2017; JuneAnd the JulyAnd the November 2021; And the June from this year. But scam packages are also found in RubyGems in 2020And the NPM in December 2021Many repositories are open source.

Most notably the supply chain attack from a private source by Russian Hackers by SolarWinds Work program wreathe noticeable messinfecting more than 100 companies and at least nine US federal agencies, Including The National Nuclear Security Administration, the Internal Revenue Service, the Department of State, and the Department of Homeland Security.

The increasingly common detection of fake malicious packages causes repositories to work. Just yesterday, GitHub, the owner of the NPM repository of JavaScript packages, opened a request for feedback on offering a subscription scheme for package developers to sign and verify their packages. Use sigstorea collaboration between many open source and industry groups, NPM developers can log out packages, indicating that the code inside them matches their original repository.

Having a clear indication that the package you’re downloading is related to the code you need may have helped people avoid the latest nasty stuff discovered in PyPi, although it might not quite be the case. “Ascii2text” directly copies almost every aspect of the ASCII arts library “art”, except for the version details. to me Probably nearly 1,000 downloadsits descriptive name probably suggests a more specific purpose than “art”.

Installing ascii2text led to the download of a malicious script, which then searched the local storage of Opera, Chrome and other browsers for tokens, passwords or cookies, along with certain crypto wallets, and sent them to a Discord server.

Other packages discovered by Check Point targeted AWS, other credentials, and environment variables. Here is a list of reported PyPi packages that have since been removed:

• ascii 2 text
• pyg-utils
• levers
• PyProto2
• asynchronous test
• free vpn
• free network – vpn2
• Zippers
• Browser
• WINRPC Exploits