Inattentive developers have already regretted ten times that they fell into such a stupid trap.
The Lazarus hacker group, supported by the North Korean state, has uploaded four malicious packages to the Python Package Index (PyPI) repository in order to infect developers ' systems with malicious software.
These packages — "pycryptoenv", "pycryptoconf", "quasarlib" and "swapmempool" — were already removed from the platform, but before that they managed to get 3269 downloads, and "pycryptoconf" was the most popular (1351 downloads).
Shusei Tomonaga, a researcher at Japan's JPCERT coordination center, noted that the package names " pycryptoenv "and" pycryptoconf "are similar to" pycrypto", a popular Python encryption package, which indicates a targeted typesquatting attack on developers.
This discovery follows the recent discovery of several malicious packages in the npm registry by research company Phylum. These packages were aimed at developers who are actively looking for work.
A common feature of both campaigns is the use of malicious code hidden in the test script, which is actually just a cover for the XOR-encoded DLL file.
This file creates two other DLL files named " IconCache. db "and" NTUSER.DAT", which are then used to download and execute the Comebacker malware that communicates with the management server to execute the Windows executable.
General attack pattern
According to representatives of JPCERT, the detected packages are part of a campaign first described by Phylum in November 2023, when npm modules on the topic of cryptocurrencies were used to deliver Comebacker malware.
Shusei Tomonaga warns that such attacks are aimed at inattentive users, which leads to downloading malware. Developers should be careful when installing packages from repositories and other software to avoid unwanted downloads of malicious software.
The Lazarus hacker group, supported by the North Korean state, has uploaded four malicious packages to the Python Package Index (PyPI) repository in order to infect developers ' systems with malicious software.
These packages — "pycryptoenv", "pycryptoconf", "quasarlib" and "swapmempool" — were already removed from the platform, but before that they managed to get 3269 downloads, and "pycryptoconf" was the most popular (1351 downloads).
Shusei Tomonaga, a researcher at Japan's JPCERT coordination center, noted that the package names " pycryptoenv "and" pycryptoconf "are similar to" pycrypto", a popular Python encryption package, which indicates a targeted typesquatting attack on developers.
This discovery follows the recent discovery of several malicious packages in the npm registry by research company Phylum. These packages were aimed at developers who are actively looking for work.
A common feature of both campaigns is the use of malicious code hidden in the test script, which is actually just a cover for the XOR-encoded DLL file.
This file creates two other DLL files named " IconCache. db "and" NTUSER.DAT", which are then used to download and execute the Comebacker malware that communicates with the management server to execute the Windows executable.
General attack pattern
According to representatives of JPCERT, the detected packages are part of a campaign first described by Phylum in November 2023, when npm modules on the topic of cryptocurrencies were used to deliver Comebacker malware.
Shusei Tomonaga warns that such attacks are aimed at inattentive users, which leads to downloading malware. Developers should be careful when installing packages from repositories and other software to avoid unwanted downloads of malicious software.
