Key Takeaways
- PyPI has blocked new user registrations to combat malware uploading through techniques like typosquatting, targeting popular Python libraries.
- Malicious packages on PyPI contain encrypted setup.py files that steal browser information, indicating sophistication from unknown attackers.
- Over 500 distinct malicious packages were uploaded to PyPI by unknown threat actors, prompting the Python Software Foundation to block new projects.
If you utilize Python as a programming language during software development activities, you might know about Python Package Index (PyPI). This is the official repository for Python packages and is essentially the place where pandas, numpy, seaborn, matplotlib, and other libraries are downloaded from when you run pip install libraryname. Now, in a move that may surprise many, PyPI has blocked new user registrations in an attempt to defend itself against a recent malware campaign.
How are threat actors targeting PyPI?
Citing reports from Checkmarx and Check Point, Bleeping Computer has reported that threat actors have been uploading malicious software packages to PyPI. They use techniques like typosquatting to get users to accidentally download dangerous packages. For those unaware, typosquatting in this case refers to the activity of uploading similarly named packages to trick users. For example, the malicious package for matplotlib might be named matplotl1b. While this process doesn’t guarantee strong financial returns, it does enable attackers to cast a wide net for potential victims, especially by imitating popular libraries.
Source: Unsplash
The malicious packages spotted by security researchers contain a setup.py file which automatically executes after the installation of the package. This piece of code is encrypted and dynamically generates a URL to download additional payloads from a remote server, indicating at least some level of sophistication from the attackers. The payload from the remote server steals information from the web browser including credentials, cookies, and cryptocurrency details.
Who is behind the malware campaign?
It is currently unknown which threat actor or threat actors are behind the attack, but security researchers have noticed that over 500 malicious packages were uploaded to PyPI recently with distinct enough names and email IDs for the authors. Each maintainer only uploaded one package, which could mean that some degree of automation was used to orchestrate the attack. Additionally, all malicious packages had the same version number and malicious piece of code embedded in the software.
How is PyPI responding?
For now, PyPI (managed by the Python Software Foundation) has decided to block the creation of new projects as well as the registration of new users. The long-term solution is currently unclear, but it does highlight the need to check the software components used in your applications – even in development environments -, knowing that malware actors can even (temporarily) circumvent PyPI too.
[ad_2]
