Inside of the WASP’s nest: deep dive into PyPI-hosted malware

In late 2022 we decided to start monitoring PyPI, arguably the most important Python repository, as there were a number of reports on it hosting malware. PyPI took exceptional relevance amongst all repositories as, historically, it was trusted by default by many software developers. Any security breach or abuse could lead to a large-scale Supply Chain attack.

During our monitoring we were able to identify dozens of suspicious packages, allegedly uploaded by threat actors trying to abuse PyPI. In some cases, attackers poisoned well-known legitimate Python libraries and reuploaded them leveraging typosquatting, such as “pylOpenSSL” mimicking pyOpenSSL. In other cases, they uploaded completely fake packages consisting only of malicious code, such as the scappy library.

Generally speaking, the main target of these attacks appears to be the victim’s environment data with a focus on browser’s cookies. In some cases, malicious libraries implemented quite original features, like hijacking crypto wallet addresses in the victim’s clipboard.

In this post we will share insights on PyPi’s suspicious libraries as well as take a closer look at particular campaigns abusing it.

Statistic analysis

We observed

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from VirusTotal Blog

Read the original article: