Friday, May 2, 2025
HomeCyber Security NewsMalicious PyPI & NPM Packages Attacking MacOS Users

Malicious PyPI & NPM Packages Attacking MacOS Users

Published on

SIEM as a Service

Follow Us on Google News

Cybersecurity researchers have identified a series of malicious software packages targeting MacOS users.

These packages, found on the Python Package Index (PyPI) and NPM, have been meticulously analyzed to uncover their malicious intent and sophisticated attack mechanisms.

GuardDog: The Sentinel Against Malicious Packages

In late 2022, a CLI-based tool named GuardDog was released. Utilizing Semgrep and package metadata heuristics, GuardDog identifies malicious software packages based on common patterns.

- Advertisement - Google News

By early 2023, GuardDog was scaled to continuously scan PyPI, leading to the identification and manual triage of nearly 1,500 malicious packages.

According to SecurityLabs reports, this effort has resulted in one of the most enormous labeled datasets of malicious packages available to the public.GuardDog Dashboard

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Initial Lead: The “reallydonothing” Package

The initial lead came from a package named “reallydonothing,” published on May 9, 2024. This package exhibited several suspicious characteristics:

  • Empty description
  • Single Python file
  • Command overwrite
  • OS command execution

These indicators triggered GuardDog’s rules, prompting further investigation.

Detailed Analysis of Malicious Packages

The malicious packages, including “reallydonothing,” “jupyter-calendar-extension,” “calendar-extender,” “ReportGenPub,” and “Auto-Scrubber,” share a standard structure.

They consist of a single Python file, setup.py, which overwrites the setup command to execute malicious code upon installation.

Code Example:

class InstallCommand(install):
def run(self):
install.run(self)
# malicious code follows

setup(
name='reallydonothing',
version='0.1',
license='MIT',
packages=find_packages(),
cmdclass={'install': InstallCommand},
)

The malicious code searches for specific file patterns on the local file system and uses hardcoded values to determine the presence of a secret file.

Further malicious actions are executed if the file is found, including downloading and running a second-stage binary.

How the Identified Malicious Packages Differ

The identified packages vary in file patterns, hardcoded values, and the locations where they drop binaries.

Here is a summary of the differences:

Package NameVersionFiles MatchedHardcoded Magic WordsPath of Dropped BinaryFile Created After Successful Infection
reallydonothing0.1/Library/Application Support/t*/O/*railroad, jewel, drown, archive~/.local/bin/donothing/tmp/testing
reallydonothing0.3/Library/Application Support/t*/O/*railroad, jewel, drown, archive~/.local/bin/donothing/tmp/testing
jupyter-calendar-extension0.1/Users/Shared/C*/r/2*/*craft, ribbon, effect, jacket~/.local/bin/jupyter_calendar/tmp/21cb7184-5e4e-4041-b6db-91688a974c56
calendar-extender0.1/Users/Shared/C*/r/2*/*craft, ribbon, effect, jacket~/.local/bin/calendar_extender/tmp/9bacc561-8485-4731-9c09-7eb4f3fae355
calendar-extender0.2/Users/Shared/C*/r/2*/*craft, ribbon, effect, jacket~/.local/bin/calendar_extender/tmp/21cb7184-5e4e-4041-b6db-91688a974c56
ReportGenPub0.1/Users/Shared/P*/c/R*/*bench, example, assume, reservoir~/.local/bin/report_genNone
ReportGenPub0.2/Users/Shared/P*/c/R*/*bench, example, assume, reservoir~/.local/bin/report_genNone
Auto-Scrubber0.1/Users/Shared/Videos/t/2*/*liberty, seed, novel, structure~/.local/bin/AutoScrubNone

Assessment

These malicious packages specifically target MacOS systems, searching for files in standard directories like /Users/Shared and /Library/Application Support.

The attacker’s intentions remain obscure due to the use of one-way hashing functions and secret file paths, making it difficult to determine the payload URL without the secret file path.

The discovery of these malicious packages highlights the importance of continuously monitoring and analyzing software repositories.

Tools like GuardDog play a crucial role in identifying and mitigating such threats.

Users should stay vigilant and regularly update their security measures to protect against these sophisticated attacks.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...

NVIDIA TensorRT-LLM Vulnerability Let Hackers Run Malicious Code

NVIDIA has issued an urgent security advisory after discovering a significant vulnerability (CVE-2025-23254) in...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Dutch Services Disrupted by DDoS Attacks From Russian-Affiliated Hacktivists

Multiple Dutch organizations have experienced significant service disruptions this week due to a series...

Seven Malicious Packages Exploit Gmail SMTP to Run Harmful Commands

A major supply chain security incident has rocked the Python open-source community as researchers...

CISA Issues New ICS Advisories Addressing Critical Vulnerabilities and Exploits

The Cybersecurity and Infrastructure Security Agency (CISA) has issued two new advisories revealing critical...