Thursday, January 16, 2025
HomeCryptocurrency hackBeware Of Malicious PyPI Packages That Inject infostealer Malware

Beware Of Malicious PyPI Packages That Inject infostealer Malware

Published on

SIEM as a Service

Follow Us on Google News

Recent research uncovered a novel crypto-jacking attack targeting the Python Package Index (PyPI), where malicious actors uploaded a legitimate-seeming cryptocurrency client package, “aiocpa,” to gradually build a user base. 

Subsequently, a malicious update was pushed, compromising user wallets. By utilizing differential analysis, it was identified that the exact techniques employed by the attackers to execute this unique and sophisticated campaign. 

A suspicious PyPI package, aiocpa, uses machine-learning-based threat hunting on the Spectra platform, where the detection flagged the utils/sync.py file due to a pattern resembling previously seen malware. 

Deobfuscated infostealer code

With multiple layers of Base64 encoding and zlib compression, this file contained obfuscated code, which is a common strategy for concealing malicious functionality.

Best practices for API vulnerability & Penetration Testing -> Free Webinar

Deobfuscation revealed the code’s purpose: to wrap the CryptoPay initialization function and exfiltrate all arguments, potentially including sensitive crypto trading tokens, to a Telegram bot controlled by the attacker, which highlights the effectiveness of ML-based threat hunting in uncovering obfuscated malware attempts within open-source packages. 

Malicious GitHub account details

A malicious actor attempted to exploit the Python Package Index (PyPI) by publishing a malicious package, “aiocpa,” and attempting to take over the existing “pay” package. 

The goal was likely to compromise user systems and potentially gain access to sensitive information. PyPI security swiftly responded by quarantining and removing the malicious package. 

It underscores the importance of securing the software supply chain, including careful dependency management, version pinning, and security assessments of third-party components.

Package takeover request

Open-source software supply chain attacks are increasing in complexity and difficulty to detect. Malicious actors are disguising their attacks to evade traditional security measures. 

To mitigate these threats, developers need to implement dedicated security tools into their development processes, which can help identify and prevent supply chain attacks, protect software integrity, and reduce risks.

The ReversingLabs investigation uncovered multiple compromised PyPI packages, specifically multiple versions of the “aiocpa” package. These malicious packages, identified by their distinct SHA1 hashes, were part of a supply chain attack. 

The compromised packages were designed to infiltrate systems and potentially carry out harmful activities, highlighting the importance of vigilant monitoring and robust security measures to protect against such threats.

Analyse Advanced Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.

Latest articles

Hackers Exploiting California Wildfire Sparks to Launching Phishing Attacks

As California grapples with devastating wildfires, communities are rallying to protect lives and property....

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August...

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...

FTC Slams GoDaddy For Not Implement Standard Security Practices Following Major Breaches

The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Hackers Exploiting California Wildfire Sparks to Launching Phishing Attacks

As California grapples with devastating wildfires, communities are rallying to protect lives and property....

AIRASHI Botnet Exploiting 0-Day Vulnerabilities In Large Scale DDoS Attacks

AISURU botnet launched a DDoS attack targeting Black Myth: Wukong distribution platforms in August...

New Botnet Exploiting DNS Records Misconfiguration To Deliver Malware

Botnets are the networks of compromised devices that have evolved significantly since the internet's...