Cybersecurity researchers have identified a malicious campaign targeting users of the Python Package Index (PyPI) repository. The campaign involves several packages that masquerade as time-related utilities, but they contain hidden functionality to steal sensitive data like cloud access tokens. These packages, downloaded over 14,100 times, have been removed from PyPI, but their impact is still significant. They are designed to exfiltrate credentials and other sensitive information, posing a major risk to developers using the repository.
The malicious packages use a technique called combosquatting, where attackers modify legitimate package names to deceive developers. Packages like “execution-time-async” mimic popular libraries but contain malicious code that steals data upon installation. This code communicates with attacker-controlled servers and collects sensitive information, such as cloud service credentials. The attack has affected packages targeting services like AWS, Alibaba Cloud, and Tencent Cloud, highlighting the severity of the threat.
Security experts have noted that the malware uses sophisticated methods for data exfiltration. Instead of relying on easily detectable HTTP connections, the attackers encrypt stolen data and transmit it through blockchain transactions to avoid detection. This advanced technique makes it difficult for traditional network monitoring tools to catch the exfiltration activities. The campaign has already impacted developers worldwide, with over 1,000 downloads of the malicious packages before they were removed.
This attack is part of a growing trend of supply chain attacks targeting open-source repositories. PyPI administrators are working to enhance security, but developers are advised to verify all package sources carefully. Regular auditing of Python environments, monitoring outbound network connections, and using private repositories with stricter vetting processes are essential to prevent compromise. This incident highlights the need for robust supply chain security practices to protect against evolving cyber threats.