Cybersecurity researchers have discovered a new malicious Python package in the Python Package Index (PyPI) repository, named pytoileur, which is being used to facilitate cryptocurrency theft. This package, authored by a user named PhilipsPY, has been downloaded 316 times and was re-uploaded with identical functionality after a previous version was removed by PyPI maintainers on May 28, 2024. The package’s setup.py script contains malicious code that executes a Base64-encoded payload to retrieve a Windows binary from an external server, which then installs additional spyware and stealer malware to gather data from web browsers and cryptocurrency services.
The campaign’s propagation was aided by a newly created Stack Overflow account named “EstAYA G,” which directed users to install the pytoileur package under the guise of providing solutions to their technical queries. Security researcher Ax Sharma noted that the recent age and singular focus of the Stack Overflow account on promoting the malicious package strongly suggest that it is linked to the threat actor behind the pytoileur campaign. The misuse of Stack Overflow, a reputable platform, to spread malware is a significant concern, particularly for novice developers who may fall victim to such deceptive advice.
Stack Overflow has responded to the incident by suspending the malicious account and removing the content that violated its network policies. This incident underscores the growing threat of supply chain attacks in open-source ecosystems, where malicious actors target multiple users by compromising widely-used software packages. Sonatype, the company that analyzed the malicious package, highlighted the unprecedented nature of this open abuse and its implications for the global developer community.
The pytoileur incident also shares similarities with previous malicious campaigns involving bogus Python packages like Pystob and Pywool, as reported by Checkmarx in November 2023. These findings highlight the persistent risk posed by threat actors exploiting open-source repositories to distribute malware, emphasizing the need for developers to remain vigilant and for platforms to enhance their security measures to protect users from such attacks.
