Malicious PyPI Package Uses Unicode - Why?

Usage of Unicode

• The package’s setup[.]py contained thousands of similar yet suspicious code strings that use a mix of Unicode characters.
• These code strings appear normal to the readers, however, Python interpreter handlers parse and recognize these characters differently, and thus, process the malicious intent hidden behind them.
• For instance, there are five possible alternatives for writing the single alphabet n, and 19 for the alphabet s. The word __import__ (commonly used in programming) can be written in over one billion different alternatives, which can easily bypass any static pattern matching-based security scan.

How bad is it?

• The identifiers such as __import__, subprocess, and CryptUnprotectData are usual programming constructs, which would raise red flags for suspicious activity. 
• However, their equivalent Unicode alternatives could easily bypass the defenses that operate on string-matching-based scans. 
• By exploiting this fact, threat actors created an astronomical number of identifier variants for the same code that easily bypassed defenses designed around string matching.
• Additionally, they harvested and exfiltrated developers' account credentials and other sensitive data from compromised devices using the malicious package.

Final words