New Malware Hidden In PyPI Packages Attacking Windows & Linux Machines

A PyPI malware author identified as “WS” was discovered by researchers to be covertly uploading malicious packages to PyPI that were impacting both Windows and Linux devices. 

Over time, the malware author distributes multiple information-stealing packages into the PyPI library, each with unique payload complexities. From the detected packages alone, it is predicted that there may be over 2000 victims of “WS.”

Over several months, the instance of this specific malware author has come to light, demonstrating the significant amount of destruction that has occurred.

The Python community has created the Python Package Index (PyPI), an open repository of software packages to aid in the rapid development or updating of applications. 

Although most packages uploaded to PyPI are uploaded by dedicated people seeking to promote the Python community, malicious packages are also frequently provided by threat actors.

Document
Free Webinar

Fastrack Compliance: The Path to ZERO-Vulnerability

Compounding the problem are zero-day vulnerabilities like the MOVEit SQLi, Zimbra XSS, and 300+ such vulnerabilities that get discovered each month. Delays in fixing these vulnerabilities lead to compliance issues, these delay can be minimized with a unique feature on AppTrana that helps you to get “Zero vulnerability report” within 72 hours.

Info Stealing Packages Hidden in PyPI

According to Fortinet, the identified packages published by the author “WS” are as follows:

  • nigpal
  • figflix
  • telerer
  • seGMM
  • fbdebug
  • sGMM
  • myGens
  • NewGends
  • TestLibs111

These demonstrate attack techniques similar to those described in a blog post by Checkmarx that was published four months prior.

The resemblance raises the possibility of a link to an early 2023 harmful effort. The setup.py files in these packages contain base64-encoded source code for PE or other Python scripts. 

The final malicious payload is dropped and executed when these Python packages are installed, depending on the operating system of the victim devices.

Malicious PyPI packages published by the author “WS”

Packages released before December 2023 can particularly transmit a Python script intended to steal data from Linux systems or, in the case of a Windows victim, deploy the malware known as Whitesnake PE.

“A subtle distinction lies in the new method now being used by the Python script to transmit stolen data. Instead of relying on a single fixed URL, these new malware variants use a range of IP addresses as the destination, likely to ensure successful data transmission even if one server fails”, Fortinet shared with Cyber Security News.

The PE Payload of the myGens & NewGends Packages is analyzed. It attempts to gather user data, including the host credentials and IP address of the user.

Collects User information

This latest set of packages primarily targets Windows users, in contrast to previous attacks that were directed at both Linux and Windows users. Even though each package has a slightly different executable payload, they all attempt to steal confidential data from victims.

Recommendation

When utilizing open-source packages, users are advised to proceed with extreme caution, making sure that no harmful content or payloads are present that could leave their targeted devices vulnerable to information theft.

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious actors…

6 hours ago

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce shoppers…

9 hours ago

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to malicious…

10 hours ago

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in 2022…

10 hours ago

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for building…

11 hours ago

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin, formerly…

13 hours ago