Cybersecurity researchers have warned of a malicious campaign targeting users of the Python Package Index (PyPI) repository with bogus libraries masquerading as "time"-related utilities but containing hidden functions to steal sensitive data such as cloud access tokens.
Software supply chain security firm ReversingLabs said it had discovered two sets of packages, totaling 20. The packages had been downloaded a total of over 14,100 times.
snapshot-photo (2,448 downloads)
time-check-server (316 downloads)
time-check-server-get (178 downloads)
time-server-analysis (144 downloads)
time-server-analyzer (74 downloads)
time-server-test (155 downloads)
time-service-checker (151 downloads)
aclient-sdk (120 downloads)
acloud-client (5,496 downloads)
acloud-clients (198 downloads)
acloud-client-uses (294 downloads)
alicloud-client (622 downloads)
alicloud-client-sdk (206 downloads)
amzclients-sdk (100 downloads)
awscloud-clients-core (206 downloads)
credential-python-sdk (1,155 downloads)
enumer-iam (1,254 downloads)
tclients-sdk (173 downloads)
tcloud-python-sdk (98 downloads)
tcloud-python-test (793 downloads)
While the first set refers to packages that are used to load data into the threat agent infrastructure, the second cluster consists of packages that implement cloud client functions for several services such as Alibaba Cloud, Amazon Web Services and Tencent Cloud.
