Thursday, April 3, 2025
HomeCyber Security NewsMultiple 0-Day Attacks in The PyPI Packages Aimed to Steal Developer Credentials

Multiple 0-Day Attacks in The PyPI Packages Aimed to Steal Developer Credentials

Published on

SIEM as a Service

Follow Us on Google News

Recently, the FortiGuard Labs team made a groundbreaking discovery of several new zero-day attacks in the PyPI packages. The source of these attacks was traced back to a malware author known as “Core1337.” This individual had published a number of packages.

Here below we have mentioned the packages that are published by Core1337:-

  • 3m-promo-gen-api
  • Ai-Solver-gen
  • hypixel-coins
  • httpxrequesterv2
  • httpxrequester

Between the 27th of January and the 29th of January 2023, these attacks were published. The recent discovery made by the FortiGuard Labs team revealed that each of the packages published by the malware author “Core1337” had only one version with an empty description. 

However, what was alarming was the fact that all of these packages contained similar malicious code. This raises the question of the level of sophistication and the intentions behind these attacks. 

Technical Analysis of the Packages

First of all, cybersecurity analysts have noticed something that looks like a URL for a webhook in its setup[.]py file:-

  • hxxps://discord[.]com/api/webhooks/1069214746395562004/sejnJnNA3lWgkWC4V86RaFzaiUQ3dIAG958qwAUkLCkYjJ7scZhoa-KkRgBOhQw8Ecqd

There is a similar code in each package’s setup.py file except for the URL of the webhook that is sent from each package. It appears that the URL in question may have a connection to the infamous “Spidey Bot” malware. 

This particular strain of malware is notorious for its ability to pilfer personal information via Discord, as highlighted in a recent blog post by the organization. The blog, entitled “Web3-Essential Package,” delves into the dangers posed by the “Spidey Bot.”

Experts in the field have discovered potential malicious behaviors in a recent static analysis that was conducted by reviewing the setup.py script. During this process, the experts meticulously examined the code and were able to identify several key indicators that point toward malicious intent.

Experts in the field of malware analysis have gained a general understanding of the behavior of a particular strain of malware by carefully examining its primary function. 

According to their findings, this malware may attempt to extract sensitive information from various browsers and the Discord platform and then store it in a file for later exfiltration.

In order to gain a better understanding of the inner workings of this piece of malware, experts have focused their attention on the “getPassw” function. This function is specifically designed to gather user and password information from the browser and then save it to a text file.

The malware has a self-proclaimed title of “Fade Stealer,” which it prominently displays in the form of its name being written at the top of its accompanying text file.

As for its ‘getCookie’ function, the behavior is similar to the one seen in its other functions. Based on the functions of “Kiwi,” “KiwiFile,” and “uploadToAnonfiles,” it appears that the malware is programmed to scan specific directories and select specific file names for the purpose of transferring them through a file-sharing platform:- 

  • https[:]//transfer[.]sh

All these packages have one thing in common – they possess similar codes that are created for the purpose of launching attacks. While all these packages may have different names, the underlying intention and code structure is the same, which indicates the work of a single author.

Network Security Checklist – Download Free E-Book

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Actively Scanning for Juniper Smart Routers Using Default Passwords

Recent cybersecurity findings reveal an alarming increase in malicious activity targeting Juniper's Session Smart...

Google’s Quick Share for Windows Vulnerability Allows Remote Code Execution

Cybersecurity researchers from SafeBreach Labs have revealed new vulnerabilities in Google’s Quick Share file-transfer...

Multiple Jenkins Plugin Vulnerabilities Expose Sensitive Information to Attackers

Jenkins, the widely used open-source automation server, faces heightened security risks after researchers disclosed 11...

Hackers Selling SnowDog RAT Malware With Remote Control Capabilities Online

A sophisticated remote access trojan (RAT) dubbed SnowDog has surfaced on underground cybercrime forums, prompting alarms...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Hackers Actively Scanning for Juniper Smart Routers Using Default Passwords

Recent cybersecurity findings reveal an alarming increase in malicious activity targeting Juniper's Session Smart...

Google’s Quick Share for Windows Vulnerability Allows Remote Code Execution

Cybersecurity researchers from SafeBreach Labs have revealed new vulnerabilities in Google’s Quick Share file-transfer...

Multiple Jenkins Plugin Vulnerabilities Expose Sensitive Information to Attackers

Jenkins, the widely used open-source automation server, faces heightened security risks after researchers disclosed 11...