A PyPI malware author identified as “WS” was discovered by researchers to be covertly uploading malicious packages to PyPI that were impacting both Windows and Linux devices.
Over time, the malware author distributes multiple information-stealing packages into the PyPI library, each with unique payload complexities. From the detected packages alone, it is predicted that there may be over 2000 victims of “WS.”
Over several months, the instance of this specific malware author has come to light, demonstrating the significant amount of destruction that has occurred.
The Python community has created the Python Package Index (PyPI), an open repository of software packages to aid in the rapid development or updating of applications.
Although most packages uploaded to PyPI are uploaded by dedicated people seeking to promote the Python community, malicious packages are also frequently provided by threat actors.
Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.
According to Fortinet, the identified packages published by the author “WS” are as follows:
These demonstrate attack techniques similar to those described in a blog post by Checkmarx that was published four months prior.
The resemblance raises the possibility of a link to an early 2023 harmful effort. The setup.py files in these packages contain base64-encoded source code for PE or other Python scripts.
The final malicious payload is dropped and executed when these Python packages are installed, depending on the operating system of the victim devices.
Packages released before December 2023 can particularly transmit a Python script intended to steal data from Linux systems or, in the case of a Windows victim, deploy the malware known as Whitesnake PE.
“A subtle distinction lies in the new method now being used by the Python script to transmit stolen data. Instead of relying on a single fixed URL, these new malware variants use a range of IP addresses as the destination, likely to ensure successful data transmission even if one server fails”, Fortinet shared with Cyber Security News.
The PE Payload of the myGens & NewGends Packages is analyzed. It attempts to gather user data, including the host credentials and IP address of the user.
This latest set of packages primarily targets Windows users, in contrast to previous attacks that were directed at both Linux and Windows users. Even though each package has a slightly different executable payload, they all attempt to steal confidential data from victims.
When utilizing open-source packages, users are advised to proceed with extreme caution, making sure that no harmful content or payloads are present that could leave their targeted devices vulnerable to information theft.
A very important message from the Norwegian National Cyber Security Centre (NCSC) says that Secure Socket Layer/Transport Layer Security (SSL/TLS)…
Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices, which makes it an attractive target…
ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine, to target infected systems, which extracts…
Santander has confirmed that there was a major data breach that affected its workers and customers in Spain, Uruguay, and…
The U.S. government has offered a prize of up to $5 million for information that leads to the arrest and…
Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated cybercriminals to achieve its strategic goals,…