New Malware Hidden In PyPI Packages Attacking Windows & Linux Machines

A PyPI malware author identified as “WS” was discovered by researchers to be covertly uploading malicious packages to PyPI that were impacting both Windows and Linux devices. 

Over time, the malware author distributes multiple information-stealing packages into the PyPI library, each with unique payload complexities. From the detected packages alone, it is predicted that there may be over 2000 victims of “WS.”

Over several months, the instance of this specific malware author has come to light, demonstrating the significant amount of destruction that has occurred.

The Python community has created the Python Package Index (PyPI), an open repository of software packages to aid in the rapid development or updating of applications. 

Although most packages uploaded to PyPI are uploaded by dedicated people seeking to promote the Python community, malicious packages are also frequently provided by threat actors.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Info Stealing Packages Hidden in PyPI

According to Fortinet, the identified packages published by the author “WS” are as follows:

  • nigpal
  • figflix
  • telerer
  • seGMM
  • fbdebug
  • sGMM
  • myGens
  • NewGends
  • TestLibs111

These demonstrate attack techniques similar to those described in a blog post by Checkmarx that was published four months prior.

The resemblance raises the possibility of a link to an early 2023 harmful effort. The setup.py files in these packages contain base64-encoded source code for PE or other Python scripts. 

The final malicious payload is dropped and executed when these Python packages are installed, depending on the operating system of the victim devices.

Malicious PyPI packages published by the author “WS”

Packages released before December 2023 can particularly transmit a Python script intended to steal data from Linux systems or, in the case of a Windows victim, deploy the malware known as Whitesnake PE.

“A subtle distinction lies in the new method now being used by the Python script to transmit stolen data. Instead of relying on a single fixed URL, these new malware variants use a range of IP addresses as the destination, likely to ensure successful data transmission even if one server fails”, Fortinet shared with Cyber Security News.

The PE Payload of the myGens & NewGends Packages is analyzed. It attempts to gather user data, including the host credentials and IP address of the user.

Collects User information

This latest set of packages primarily targets Windows users, in contrast to previous attacks that were directed at both Linux and Windows users. Even though each package has a slightly different executable payload, they all attempt to steal confidential data from victims.

Recommendation

When utilizing open-source packages, users are advised to proceed with extreme caution, making sure that no harmful content or payloads are present that could leave their targeted devices vulnerable to information theft.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

New VIPKeyLogger Via Weaponized Office Documenrs Steals Login Credentials

The VIPKeyLogger infostealer, exhibiting similarities to the Snake Keylogger, is actively circulating through phishing campaigns. …

11 hours ago

INTERPOL Urges to End ‘Pig Butchering’ & Replaces With “Romance Baiting”

INTERPOL has called for the term "romance baiting" to replace "pig butchering," a phrase widely…

11 hours ago

New I2PRAT Malware Using encrypted peer-to-peer communication to Evade Detections

Cybersecurity experts are sounding the alarm over a new strain of malware dubbed "I2PRAT," which…

12 hours ago

Earth Koshchei Employs RDP Relay, Rogue RDP server in Server Attacks

 A new cyber campaign by the advanced persistent threat (APT) group Earth Koshchei has brought…

13 hours ago

Careto – A legendary Threat Group Targets Windows By Deploy Microphone Recorder And Steal Files

Recent research has linked a series of cyberattacks to The Mask group, as one notable…

13 hours ago

RiseLoader Attack Windows By Employed A VMProtect To Drop Multiple Malware Families

RiseLoader, a new malware family discovered in October 2024, leverages a custom TCP-based binary protocol…

13 hours ago