An undisclosed threat actor has deployed a prolonged campaign publishing typosquat packages on the Python Package Index (PyPI), designed to distribute malware and compromise IT experts. Over a six-month period, these 27 malicious packages, such as pyefflorer and pywool, cunningly posed as popular Python libraries, successfully amassing thousands of downloads worldwide, with a notable focus on the U.S., China, and Europe.
Employing a covert approach, the attacker utilized steganography, hiding a malicious payload within an innocuous image file to enhance the attack’s stealthiness. These packages used various tactics, including VBScript deployment and alternate attack chains involving the concealment of executable code within PNG images, aiming at achieving persistence, stealing sensitive information, and potentially accessing cryptocurrency wallets.
A critical aspect of the attack was the utilization of the setup.py script, embedding references to other malicious packages, such as pystob and pywool. These packages orchestrated a VBScript to download and execute a file named “Runtime.exe,” ensuring persistence on the affected system. The malware, embedded within the binary, had the capability to extract information from web browsers, cryptocurrency wallets, and other applications.
Notably, the packages Pystob and Pywool, disguised as API management tools, were found to exfiltrate data to a Discord webhook and attempt to maintain persistence by placing a VBS file in the Windows startup folder. This incident underscores the constant threats present in collaborative coding environments and the risks of open-source ecosystems.
Simultaneously, a separate discovery by ReversingLabs identified protestware npm packages that embedded scripts conveying messages of peace related to conflicts in Ukraine, Israel, and the Gaza Strip.
In this context, the ongoing challenges in securing open-source ecosystems are further highlighted by GitGuardian’s revelation of thousands of exposed secrets in PyPI projects, including AWS keys, GitHub OAuth app keys, and database credentials. Given the escalating attacks on the software supply chain, the U.S. government has issued new guidance emphasizing the need for risk assessments and enhanced security practices among software developers and suppliers.