ESET Research has made a concerning discovery involving a cluster of malicious Python projects being distributed in PyPI, the official Python package repository. The threat targets both Windows and Linux systems, delivering a custom backdoor in some cases, while in others it provides a variant of the infamous W4SP Stealer or a simple clipboard monitor to steal cryptocurrency, or both. This finding differs from previous clusters discovered in May 2023, indicating separate campaigns. Here are the key points from the recent discovery:
ESET Research found that there were 116 malicious packages in PyPI, the official repository of software for the Python programming language, uploaded in 53 projects. These packages had been downloaded over 10,000 times, at an average rate of 80 per day since May 2023. The malware delivers a backdoor capable of remote command execution, exfiltration, and taking screenshots, with components implemented for both Windows and Linux systems. The threats are deeply entrenched and becoming increasingly sophisticated.
Understanding PyPI’s widespread popularity among Python programmers for sharing and downloading code, it’s easy to see why the repository is an appealing target for cybercriminals. The implementation of malware, sometimes posing as legitimate, popular code libraries, highlights the ease with which potentially harmful content can appear in this environment. So far, 116 files were identified containing malware, raising concerns about the security of the repository.
The operators behind this campaign were observed using several techniques to bundle malicious code into Python packages:
1. A “test” module with lightly obfuscated code placed inside the package.
2. Embedding PowerShell code in the setup.py file.
3. Inclusion of the malicious code without any legitimate content, in a lightly obfuscated form.
These malicious activities are deeply rooted and have resulted in a significant number of downloads. The threat extends to both Windows and Linux operating systems and persistence was achieved through different methods specific to each operating system. On Windows, a VBScript Encoded (VBE) file was utilized, while on Linux, a malicious desktop entry was placed in a particular directory. The final payload usually consists of a custom backdoor that allows for remote command execution and file exfiltration, or in some cases, a variant of the W4SP Stealer or a clipboard monitor to steal cryptocurrency.
The details provided in the blogpost shed light on the magnitude of the threat as well as the specific coding techniques used to execute these nefarious actions. The packaging of the malware in this manner makes it difficult to detect as it may appear as legitimate code. Moreover, the operators’ use of multiple techniques and platforms such as Dropbox and transfer.sh demonstrate a sophisticated approach to distributing malware.
Moving forward, the report recommends that Python developers exercise caution and thoroughly vet the code they download, especially looking for the identified techniques before installing it on their systems. It also advises that such abuse of PyPI may continue and stresses the need for vigilance when installing code from any public software repository.
With a significant portion of the malicious packages taken offline, ESET has communicated with PyPI to address the remaining threats, and all known malicious packages are now offline. The full list of the 116 packages can be found on ESET’s GitHub repository for further reference.
The discovery serves as a critical reminder to the cybersecurity community about the continuous threat landscape and reinforces the need for heightened vigilance when it comes to securing open-source software. Developers are encouraged to stay up to date on the latest security threats and adopt best practices to protect their systems and data. Furthermore, the call for caution and thorough code vetting should be emphasized to prevent similar incidents from occurring in the future.