Brother
Professional
- Messages
- 2,590
- Reaction score
- 539
- Points
- 113
116 packages infect systems with a specially created backdoor based on the W4SP stealer.
ESET discovered a set of 116 malicious packages designed to infect Windows and Linux systems using a special backdoor in the Python Package Index (PyPI) repository.
In some cases, the final payload is a variant of the W4SP Stealer or a simple clipboard monitor for stealing cryptocurrency, or both. It is estimated that packages have been downloaded more than 10,000 times since May 2023.
It was noticed that the attackers behind this activity used three methods to combine malicious code into Python packages, namely by using a script "test.py", PowerShell embeddings in a file "setup.py" and including it in an obfuscated form in the file "__init__.py"
Regardless of the method used, the ultimate goal of the campaign is to infect the target host with malware, primarily a backdoor that can remotely execute commands, steal data, and take screenshots. The backdoor module is implemented in Python for Windows and Go for Linux.
In addition, the chain of attacks also ends with the introduction of a W4SP Stealer or clipper, designed to carefully monitor the victim's clipboard and replace the copied wallet address with the attacker's address.
The development is the latest in a wave of compromised Python packages that attackers have released to compromise the open source ecosystem and spread malware to attack the supply chain. Therefore, Python developers should carefully check the downloadable code before installing it on their systems.
We have already written about malicious packages in the PyPI repository. For example, 5 packages detected at the end of January contained the W4SP Stealer infostiler. And in November, it became known that packages masquerading as popular Python libraries attracted thousands of downloads around the world, including in the United States and China. During the wave of infections, data and cryptocurrency of IT experts were stolen.
ESET discovered a set of 116 malicious packages designed to infect Windows and Linux systems using a special backdoor in the Python Package Index (PyPI) repository.
In some cases, the final payload is a variant of the W4SP Stealer or a simple clipboard monitor for stealing cryptocurrency, or both. It is estimated that packages have been downloaded more than 10,000 times since May 2023.
It was noticed that the attackers behind this activity used three methods to combine malicious code into Python packages, namely by using a script "test.py", PowerShell embeddings in a file "setup.py" and including it in an obfuscated form in the file "__init__.py"
Regardless of the method used, the ultimate goal of the campaign is to infect the target host with malware, primarily a backdoor that can remotely execute commands, steal data, and take screenshots. The backdoor module is implemented in Python for Windows and Go for Linux.
In addition, the chain of attacks also ends with the introduction of a W4SP Stealer or clipper, designed to carefully monitor the victim's clipboard and replace the copied wallet address with the attacker's address.
The development is the latest in a wave of compromised Python packages that attackers have released to compromise the open source ecosystem and spread malware to attack the supply chain. Therefore, Python developers should carefully check the downloadable code before installing it on their systems.
We have already written about malicious packages in the PyPI repository. For example, 5 packages detected at the end of January contained the W4SP Stealer infostiler. And in November, it became known that packages masquerading as popular Python libraries attracted thousands of downloads around the world, including in the United States and China. During the wave of infections, data and cryptocurrency of IT experts were stolen.
