Thursday, July 18, 2024

Beware of Typos that May lead to Malicious PyPI Package Installation

Cybersecurity experts have raised alarms over a new threat vector targeting Python developers: typo-squatting on the Python Package Index (PyPI).

The notorious Lazarus group, known for its cyber espionage and sabotage activities, has been implicated in the release of malicious packages designed to exploit typographical errors made by developers when installing packages.

You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox, and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.

Typosquatting: A Gateway for Malware

The JPCERT/CC has confirmed the release of several malicious packages on PyPI, including pycryptoenvpycryptoconfquasarlib, and swapmempool.

These packages were crafted to resemble the legitimate pycrypto package, a widely used encryption library in Python.

Python packages released by Lazarus attack group
Python packages released by Lazarus attack group

The subtle misspellings are intended to dupe unsuspecting developers into downloading and installing malware on their systems.

Inside the Malicious Packages

Upon closer examination, the structure of these packages reveals a concerning setup. For instance, pycryptoenv it contains a file named, which is not a Python script but an XOR-encoded DLL file.

The file within the package handles the decoding and execution of this file.

Flow up to Comebacker execution
Flow up to Comebacker execution

This malware, called Comebacker, is not new to the cybersecurity community. Lazarus previously used it in a campaign targeting security researchers, as reported by Google in January 2021.

The malware is executed through a series of steps, starting with the decoding of, saving it as, and then running it as a DLL file.

The Comebacker Malware

The Comebacker malware uses HTTP POST requests to communicate with its command and control (C2) servers.

Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN
Comparison of characteristic NOP commands between Comebacker and BLINDINGCAN

The data sent and received is encoded, and upon successful communication, the server sends back a Windows executable file.

This file is then executed in memory, avoiding detection by traditional antivirus software.

Lazarus has employed comparable techniques in disseminating malware through different package repositories, including npm, suggesting a more extensive approach to infiltrating software supply chains. This particular occurrence is not an isolated event.

npm package released by Lazarus attack group
npm package released by Lazarus attack group

Protecting Against Typosquatting Attacks

The malicious packages in question have been downloaded hundreds of times, suggesting that many developers have fallen victim to this scheme. 

Number of pycryptoenv downloads
Number of pycryptoenv downloads

Developers must be vigilant when installing packages, double-check the spelling, and verify the source’s authenticity.

Additionally, organizations should consider implementing automated tools to detect and block the installation of potentially malicious packages.

The discovery of these malicious PyPI packages is a stark reminder of the evolving threat landscape and the need for heightened awareness among developers.

As the Lazarus group continues to refine its strategies, the cybersecurity community must remain proactive in identifying and mitigating such threats.

For more detailed information on the malware and its behavior and the indicators of compromise, readers are directed to the appendices provided by JPCERT/CC.

This article is based on the findings and reports from JPCERT/CC and other cybersecurity sources.

The information provided aims to educate and inform the public about typo-squatting risks and the importance of cautious package installation practices.

You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are extremely harmful, can wreak havoc, and damage your network.

Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.


Latest articles

Octo Tempest Know for Attacking VMWare ESXi Servers Added RansomHub & Qilin to Its Arsenal

Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which...

TAG-100 Actors Using Open-Source Tools To Attack Gov & Private Orgs

Hackers exploit open-source tools to execute attacks because they are readily available, well-documented, and...

macOS Users Beware Of Weaponized Meeting App From North Korean Hackers

Meeting apps are often targeted and turned into weapons by hackers as they are...

Hackers Exploiting Legitimate RMM Tools With BugSleep Malware

Since October 2023, MuddyWater, which is an Iranian threat group linked to MOIS, has...

Cybercriminals Exploit Attack on Donald Trump for Crypto Scams

Researchers at Bitdefender Labs remain ever-vigilant, informing users about the latest scams and internet...

New TE.0 HTTP Request Smuggling Flaw Impacts Google Cloud Websites

HTTP Request Smuggling is a flaw in web security that is derived from variations...

Volcano Demon Group Attacking Organizations With LukaLocker Ransomware

The Volcano Demon group has been discovered spreading a new ransomware called LukaLocker, which...
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Free Webinar

Low Rate DDoS Attack

9 of 10 sites on the AppTrana network have faced a DDoS attack in the last 30 days.
Some DDoS attacks could readily be blocked by rate-limiting, IP reputation checks and other basic mitigation methods.
More than 50% of the DDoS attacks are employing botnets to send slow DDoS attacks where millions of IPs are being employed to send one or two requests per minute..
Key takeaways include:

  • The mechanics of a low-DDoS attack
  • Fundamentals of behavioural AI and rate-limiting
  • Surgical mitigation actions to minimize false positives
  • Role of managed services in DDoS monitoring

Related Articles