The Python Package Index (PyPI) serves as a crucial repository for software packages. However, FortiGuard Labs’ recent threat research sheds light on a sinister presence within PyPI. The research team, led by Gabby Xiong, Jin Lee, and Amina Qurban, uncovered an elusive malware author operating under the alias “WS.” Through discreet uploads, this threat actor injected malicious packages like nigpal, figflix, and TestLibs111, aiming to compromise users’ systems.
The identified packages exhibit attack methodologies reminiscent of a previous Checkmarx blog post, hinting at a potential connection to a malicious campaign from early 2023. These packages cleverly incorporate base64-encoded source code within their setup.py files, deploying final malicious payloads upon installation, based on the victim’s operating system. Notably, the recent variants employ a new method for transmitting stolen data, utilizing a range of IP addresses to enhance resilience.
FortiGuard Labs estimates over 2000 victims impacted by these packages. The timeline of findings reveals a persistent threat, evolving with subtle distinctions. While earlier attacks targeted both Windows and Linux users, the recent focus is primarily on Windows users. The payloads, such as those in the sGMM, myGens, and NewGends packages, demonstrate a concerted effort to exfiltrate sensitive information from victims.
