The popular "requests" package has been maliciously modified.
Security researchers from Phylum discovered a malicious package in the popular PyPI repository that disguises itself as the popular "requests" library, but in reality poses a significant threat to the entire developer community.
The package, called requests-darwin-lite, used a steganography technique and was downloaded 417 times before being removed from the platform. It was a fork of the popular "requests" library, which included a malicious Go-based binary. The attackers managed to hide it in a PNG logo used in the tool's interface.
Changes were made to the file "setup.py" a packet that is configured to decode and execute a Base64 command to collect the UUID (Unique Device Identifier). Infection begins only if the identifier matches a specific value, which indicates an attempt to enter a specific device. This may indicate either a targeted attack or narrow testing before a larger campaign.
If the UUID matches the desired value, "requests-darwin-lite" starts extracting data from a PNG file called "requests-sidebar-large.png", which is much larger in size than the similar file in the legitimate package — about 17 MB versus 300 KB.
The data hidden in the image contains the Golang-based Sliver framework, which is commonly used by cybersecurity professionals for red team operations. The ultimate goals of using this package remain unclear, but this event once again highlights that open source ecosystems continue to attract attackers to distribute malware.
Steganography is not a new method of attack. In fact, it is very often used by various attackers. So, last week we told you about how a simple picture posted in the comments under one of the publications on a foreign resource posed a threat to users for more than three years, as it contained malicious code leading to a third-party website.
In addition, the relentless flow of malware into registries such as npm and PyPI, as well as the recent XZ Utils incident, highlight the need to address the system problem of compromising developer repositories, which can be used by attackers in very large-scale and multi-level attacks on the supply chain.
Security researchers from Phylum discovered a malicious package in the popular PyPI repository that disguises itself as the popular "requests" library, but in reality poses a significant threat to the entire developer community.
The package, called requests-darwin-lite, used a steganography technique and was downloaded 417 times before being removed from the platform. It was a fork of the popular "requests" library, which included a malicious Go-based binary. The attackers managed to hide it in a PNG logo used in the tool's interface.
Changes were made to the file "setup.py" a packet that is configured to decode and execute a Base64 command to collect the UUID (Unique Device Identifier). Infection begins only if the identifier matches a specific value, which indicates an attempt to enter a specific device. This may indicate either a targeted attack or narrow testing before a larger campaign.
If the UUID matches the desired value, "requests-darwin-lite" starts extracting data from a PNG file called "requests-sidebar-large.png", which is much larger in size than the similar file in the legitimate package — about 17 MB versus 300 KB.
The data hidden in the image contains the Golang-based Sliver framework, which is commonly used by cybersecurity professionals for red team operations. The ultimate goals of using this package remain unclear, but this event once again highlights that open source ecosystems continue to attract attackers to distribute malware.
Steganography is not a new method of attack. In fact, it is very often used by various attackers. So, last week we told you about how a simple picture posted in the comments under one of the publications on a foreign resource posed a threat to users for more than three years, as it contained malicious code leading to a third-party website.
In addition, the relentless flow of malware into registries such as npm and PyPI, as well as the recent XZ Utils incident, highlight the need to address the system problem of compromising developer repositories, which can be used by attackers in very large-scale and multi-level attacks on the supply chain.
