Cybersecurity researchers have uncovered a sophisticated threat in the form of a malicious Python package named requests-darwin-lite. Disguised as a variant of the popular requests library, this package was found to harbor a covert Golang version of the Sliver command-and-control (C2) framework concealed within a PNG image of the project’s logo. Despite its deceptive appearance, this discovery exposes the alarming vulnerability within open-source ecosystems, as the package managed to accumulate 417 downloads before being removed from the Python Package Index (PyPI) registry.
The deceptive nature of requests-darwin-lite is particularly concerning, with its setup.py file altered to execute a Base64-encoded command aimed at gathering the system’s Universally Unique Identifier (UUID). Intriguingly, the infection process is selective, proceeding only if the identifier matches a predetermined value. This nuanced approach suggests either a highly targeted attack or a meticulous testing phase preceding a broader campaign. Moreover, the discrepancy in file size between the legitimate and malicious PNG images, coupled with the inclusion of the Sliver C2 framework, underscores the sophisticated tactics employed by threat actors to infiltrate and compromise systems.
The implications of this discovery extend beyond the immediate threat posed by requests-darwin-lite. It serves as a stark reminder of the ongoing battle against malware infiltrating package registries like PyPI. With the majority of codebases relying on open-source components, the potential impact of such attacks on web infrastructure cannot be overstated. As such, this incident reinforces the imperative for comprehensive and systematic security measures to mitigate the risks inherent in open-source ecosystems.
