What are platform holders struggling with and what should ordinary developers do?
The popular open source software repository PyPI (Python Package Index) recently faced a large-scale cyberattack, during which attackers used automated tools to upload many malicious packages to the platform.
When installed on users devices, these packages ran malicious code aimed at stealing cryptocurrency wallets, confidential data from browsers, accounts, and other valuable information.
The attackers used the "typosquatting" method — creating packages with names that differ by one or two letters from already known and popular libraries. Hackers targeted packages such as Requests, Pillow,and Colorama as bait. Thus, the user may have accidentally installed an infected package instead of a legitimate one.
According to cybersecurity experts from Checkmarx, malicious code was placed by intruders in the file "setup.py" every such package. This made it possible to automatically launch a malicious load when installing a package. The code was carefully encrypted using the Fernet module to hide its malicious nature.
After executing the encrypted code, the connection to the remote server was made and additional malicious load was loaded. The malware also implemented a persistence mechanism that allowed it to remain active on the infected system even after a reboot.
Upon discovering the attack, the PyPI administration promptly took action — the ability to create new projects and register users was temporarily suspended for 10 hours. This made it possible to remove all detected infected packages, after which the resource was fully restored.
This incident is just one of many examples of the growing threat of attacks on the software development infrastructure. Previously, similar campaigns repeatedly affected such popular resources as GitHub, npm, and RubyGems. Attackers use various techniques, including cloning legitimate repositories and injecting malicious code into them, as well as using the "dependency confusion"technique.
Unfortunately, it is impossible to fully protect the software development ecosystem from such attacks. Experts recommend that developers check the names, sources, and contents of installed packages very carefully to avoid falling victim to malicious campaigns. Timely software updates and tracking of new threats are also important.
The popular open source software repository PyPI (Python Package Index) recently faced a large-scale cyberattack, during which attackers used automated tools to upload many malicious packages to the platform.
When installed on users devices, these packages ran malicious code aimed at stealing cryptocurrency wallets, confidential data from browsers, accounts, and other valuable information.
The attackers used the "typosquatting" method — creating packages with names that differ by one or two letters from already known and popular libraries. Hackers targeted packages such as Requests, Pillow,and Colorama as bait. Thus, the user may have accidentally installed an infected package instead of a legitimate one.
According to cybersecurity experts from Checkmarx, malicious code was placed by intruders in the file "setup.py" every such package. This made it possible to automatically launch a malicious load when installing a package. The code was carefully encrypted using the Fernet module to hide its malicious nature.
After executing the encrypted code, the connection to the remote server was made and additional malicious load was loaded. The malware also implemented a persistence mechanism that allowed it to remain active on the infected system even after a reboot.
Upon discovering the attack, the PyPI administration promptly took action — the ability to create new projects and register users was temporarily suspended for 10 hours. This made it possible to remove all detected infected packages, after which the resource was fully restored.
This incident is just one of many examples of the growing threat of attacks on the software development infrastructure. Previously, similar campaigns repeatedly affected such popular resources as GitHub, npm, and RubyGems. Attackers use various techniques, including cloning legitimate repositories and injecting malicious code into them, as well as using the "dependency confusion"technique.
Unfortunately, it is impossible to fully protect the software development ecosystem from such attacks. Experts recommend that developers check the names, sources, and contents of installed packages very carefully to avoid falling victim to malicious campaigns. Timely software updates and tracking of new threats are also important.
