Go to listing page

Three PyPI Packages Found Including Password Stealer by Mistake

Three PyPI Packages Found Including Password Stealer by Mistake
In an unusual turn of events, the PyPI packages 'keep,' 'pyanxdns,' and 'api-res-py' were discovered to contain a backdoor due to the presence of a malicious 'request' dependency in some versions.

Explained: PyPI package 'keep' modus operandi

It was discovered that some versions of PyPI packages, were using a malicious dependency.
  • GitHub user duxinglin1 discovered the vulnerable versions containing the misspelled 'request' dependency, rather than the legitimate 'requests' library, back in May.
  • CVEs assigned to the vulnerable versions include: CVE-2022-30877 ('keep' version 1.2), CVE-2022-30882 ('pyanxdns' version 0.2), and CVE-2022-31313 ('api-res-py' version 0.1).
 

‘Keep’ package: How big is the threat?

The threat included with the ‘Keep’ package is pretty high as it particularly receives over 8,000 downloads per week on average. It is not the same with 'pyanxdns' and 'api-res-py' as they are small-scale projects.
  • Even if PyPI did remove the request package, there are chances that many mirror sites did not entirely remove it, thus there is a threat that it could still be installed.
  • The malicious code inside the counterfeit 'request' contains a base64-encoded URL to the 'check.so'. A threat intel analyst has identified another URL (x.pyx), with the counterfeit 'request' dependency:
  • The file 'check.so' contains a Remote Access Trojan (RAT), while 'x.pyx' contains information-stealing malware that takes cookies and personal information from web browsers like Chrome, Firefox, Yandex, Brave, and others.
  • The malware will attempt to steal login names and passwords stored in web browsers. Threat actors with access to user credentials can then attempt to compromise other accounts used by the developer, potentially leading to additional supply-chain attacks.

Hijack or a genuine typo?

A leading tech website contacted the authors of each of these packages to determine whether this was due to a simple typo, self-sabotage, or hijacking of maintainer accounts.
  • According to sources, this is due to a typographical error rather than an account compromise. 
  • Furthermore, it appears that the authors of the other two packages also inadvertently introduced 'request' rather than the legitimate 'requests' due to an innocent typing error.
  • The developer has since re-uploaded a new version to PyPI and deleted the version referencing the malicious "request" dependency.
 

Final thoughts

Although the malicious 'request' dependency was long removed from the PyPI registry in this case, anyone using a vulnerable version of the PyPI packages and relying on a mirror to fetch dependencies could end up with malicious info-stealers on their system.
Cyware Publisher

Publisher

Cyware