PyPI Packages Become a Lucrative Target For Malware Attacks

What’s the update?

• Around 29 packages in the PyPI index were infected with the W4SP Stealer malware as a part of the attack.
• The list of offending packages included typesutil, typestring, sutiltype, duonet, fatnoob, strinfer, pydprotect, incrivelsim, twyne, pyptext, installpy, faq, colorwin, and requests-httpx, among others.
• These malicious packages were downloaded more than 5,700 times, with some of the libraries relying on typosquatting to trick unsuspecting users into downloading them.
• Once the malicious PyPI Index was downloaded, W4SP Stealer was executed on the victim’s system to pilfer files of interest, passwords, browser cookies, system metadata, and Discord tokens.
• The info-stealer is, moreover, capable of harvesting data from MetaMask, Atomic, and Exodus crypto wallets.

Rising security concerns around PyPI packages 

• Recently, a bunch of malicious PyPI packages was used in a typosquatting campaign to launch DDoS attacks against Counter-Strike servers.
• In another attack, malicious payloads were injected in 33 packages of PyPI index to drop cryptominers on targeted Linux machines.
• The open-source Python package repository was also abused in an attack to steal sensitive data, including AWS credentials and environment variables.

Conclusion