A previously dormant package on the Python Package Index (PyPI) called django-log-tracker has resurfaced after almost two years, but with a malicious update. Security experts discovered that this update introduced an information-stealing malware known as Nova Sentinel. The suspicious activity was flagged by software supply chain security firm Phylum on February 21, 2024, indicating a potential compromise of the PyPI account linked to the package’s developer.
Although the corresponding GitHub repository for django-log-tracker had not been updated since April 10, 2022, the appearance of this malicious update suggests unauthorized access to the PyPI account. This underscores the vulnerability of package repositories to supply chain attacks, posing a significant risk to the broader Python developer community. Despite the relatively low number of downloads for django-log-tracker, the incident highlights the potential impact of such attacks on projects relying on PyPI packages.
The malicious update stripped the package of most of its original content, leaving behind only minimal files, including an init.py and example.py. Additionally, the update included code to fetch and execute an executable named “Updater_1.4.4_x64.exe” from a remote server, indicating the presence of the Nova Sentinel malware. This malware, first documented by Sekoia in November 2023, operates as an information stealer and has been distributed through fake Electron apps on fraudulent websites.
The significance of this incident lies in the attempted supply-chain attack via a compromised PyPI account. Phylum emphasized that if the affected package had been more widely used, projects depending on it could have unknowingly incorporated the malicious update. This highlights the importance of maintaining robust security measures within package repositories to safeguard against similar threats in the future.
