Malicious Python Packages Found Infecting Systems

In a disturbing development, cybersecurity researchers have discovered a cluster of 116 malicious packages on the Python Package Index (PyPI) repository. These packages have been designed to infect both Windows and Linux systems with a custom backdoor, with the final payload varying from variants of the W4SP Stealer to clipboard monitors for cryptocurrency theft, or sometimes a combination of both.

Since May 2023, these malicious packages have been downloaded over 10,000 times. The threat actors behind this campaign employ various techniques to bundle the malicious code into Python packages. These techniques include using a test.py script, embedding PowerShell in the setup.py file, or incorporating it in obfuscated form in the __init__.py file.

This discovery highlights the growing need for improved cybersecurity measures, as traditional security measures prove insufficient against modern threats. The adoption of Zero Trust Security is crucial to effectively combat these evolving threats.

The ultimate goal of this campaign is to compromise targeted hosts with malware, primarily by utilizing backdoors that enable remote command execution, data exfiltration, and even capturing screenshots. The backdoor module is implemented in Python for Windows systems, while Go is used for Linux systems. However, there are alternate attack chains that involve the deployment of W4SP Stealer or clipper malware, which manipulates clipboard activity and replaces wallet addresses.

This alarming discovery is part of a broader trend of compromised Python packages being used in supply chain attacks to distribute various types of malware. For instance, ESET previously uncovered libraries that facilitate the distribution of Sordeal Stealer, a malware inspired by W4SP Stealer, as well as malicious packages deploying BlazeStealer.

In light of these developments, Python developers are strongly advised to carefully review any downloaded code for these techniques before installation, as unsuspecting users are often tricked into installing these malicious packages through social engineering tactics.

This is not an isolated incident, as similar cases of npm packages targeting a financial institution and exfiltrating user credentials to an internal Microsoft Teams webhook have been reported. npm is a popular package manager for JavaScript libraries, and the names of these malicious packages have been withheld for confidentiality reasons.

It is essential for users and developers to remain vigilant and exercise caution when downloading and installing packages from public software repositories. Verify the authenticity of packages, ensure the security of developer workstations, and thoroughly vet software libraries for any malicious modifications.

To stay informed and up to date on cybersecurity news, insights, and tips, it is highly recommended to sign up for cybersecurity newsletters and resources. By staying informed, users and developers can protect themselves against the growing threat landscape and contribute to a more secure digital environment.

[Source 1](https://www.welivesecurity.com/en/eset-research/pernicious-potpourri-python-packages-pypi/)

[Source 2](https://github.com/eset/malware-ioc/tree/master/pypi_backdoor)

[Source 3](https://docs.python.org/3/tutorial/modules.html#packages)

[Source 4](https://blog.phylum.io/encrypted-npm-packages-found-targeting-major-financial-institution/)