Beware Of Malicious PyPI Packages That Inject infostealer Malware

Recent research uncovered a novel crypto-jacking attack targeting the Python Package Index (PyPI), where malicious actors uploaded a legitimate-seeming cryptocurrency client package, “aiocpa,” to gradually build a user base. 

Subsequently, a malicious update was pushed, compromising user wallets. By utilizing differential analysis, it was identified that the exact techniques employed by the attackers to execute this unique and sophisticated campaign. 

A suspicious PyPI package, aiocpa, uses machine-learning-based threat hunting on the Spectra platform, where the detection flagged the utils/sync.py file due to a pattern resembling previously seen malware. 

With multiple layers of Base64 encoding and zlib compression, this file contained obfuscated code, which is a common strategy for concealing malicious functionality.

Best practices for API vulnerability & Penetration Testing -> Free Webinar

Deobfuscation revealed the code’s purpose: to wrap the CryptoPay initialization function and exfiltrate all arguments, potentially including sensitive crypto trading tokens, to a Telegram bot controlled by the attacker, which highlights the effectiveness of ML-based threat hunting in uncovering obfuscated malware attempts within open-source packages. 

A malicious actor attempted to exploit the Python Package Index (PyPI) by publishing a malicious package, “aiocpa,” and attempting to take over the existing “pay” package. 

The goal was likely to compromise user systems and potentially gain access to sensitive information. PyPI security swiftly responded by quarantining and removing the malicious package. 

It underscores the importance of securing the software supply chain, including careful dependency management, version pinning, and security assessments of third-party components.

Open-source software supply chain attacks are increasing in complexity and difficulty to detect. Malicious actors are disguising their attacks to evade traditional security measures. 

To mitigate these threats, developers need to implement dedicated security tools into their development processes, which can help identify and prevent supply chain attacks, protect software integrity, and reduce risks.

The ReversingLabs investigation uncovered multiple compromised PyPI packages, specifically multiple versions of the “aiocpa” package. These malicious packages, identified by their distinct SHA1 hashes, were part of a supply chain attack. 

The compromised packages were designed to infiltrate systems and potentially carry out harmful activities, highlighting the importance of vigilant monitoring and robust security measures to protect against such threats.

Analyse Advanced Phishing Analysis With ANY.RUN Black Friday Deals : Get up to 3 Free Licenses.