12 malicious libraries found in Python PyPI

One of these packages contained a tool that replaced the victims’ Bitcoin addresses in an attempt to hijack users’ funds

An information security and digital forensics expert has identified 12 Python libraries loaded into the Python Package Index (PyPI) containing malicious code. The 12 packages were discovered in two different scans by a researcher under the pseudonym “Bertus”, all malicious loads have already been eliminated from PyPI.

All the packages were copied and worked according to a similar pattern. Its creators copied the code from popular packages and created a new library, but with a slightly modified names. For example, four packages (Diango, Djago, Dajngo, Djanga) are spelling modifications of Django, the name of a very popular framework.

According to the report of the digital forensics expert, the people behind these packages added malicious code to these newly created, but completely functional projects, and more specifically to the setup.py files. These files contain a set of instructions that Python library installers, such as “pip”, automatically execute when downloading and configuring a new package within a Python project.

The reason for including this additional code was to perform several malicious actions for each malicious library.

“Bertus” discovered a first set of 11 malicious packages on October 13 and another malicious package on October 21. The first set of malicious libraries would attempt to collect data on each infected environment, get boot persistence, or even open a reverse shell on remote workstations.

For its part, the last package found, called “colourama”, was looking for access to the finances of the victim, hijacking the clipboard of the infected user’s operating system, where it would scan looking for similar strings to a Bitcoin address, which it would replace with the attacker’s own Bitcoin address in an attempt to hijack the payments or transfers made in the victim’s online wallet. This package also imitated the name of a popular Python library, called “colorama”.

According to the PyPI Statistics Service, 54 users had downloaded the package one month before it was retired. The attacker’s Bitcoin address contained only $40 USD in virtual assets, so cybersecurity and digital forensics experts were able to verify that this series of malicious actions did not generate Bitcoin profits for the attackers.

“Bertus” was interviewed by a cybersecurity firm via email: “After discovering malicious libraries, I notified the PyPI administrators, who eliminated the packages”, he said. “In addition, they also blocked the name “colourama” for future packet registrations”.

The investigator claims he discovered the 12 packages by using an automated system designed by him to scan the PyPI repository for packages with similar names, technically known as “typo packages”.

“Bertus” says he created the scanner after seeing a security alert sent by the Slovak National Security office last year, warning Python developers about ten malicious libraries loaded into PyPI. These libraries also used typo packages and spent weeks until the PyPI were discovered.

According to reports of experts in digital forensics from the International Institute of Cyber Security, “Bertus” is improving his Python scanner, while continuing to perform periodic reviews to find more typo packages.