Disturbing trends have emerged concerning malicious Python packages as they continue to spread via PyPI. The Python Package Index is a widely used third-party software repository for the Python programming language. In recent times there has been a surge in malicious Python packages, causing alarm among developers and security researchers. Cyble Research and Intelligence Labs (CRIL) conducted a comprehensive investigation into the incident, revealing the extent of the problem while providing insights into the malicious Python packages.
During the course of their investigation, CRIL discovered more than 160 malicious Python packages that had been downloaded over 45,000 times from PePy. A particularly concerning fact was the exponential increase in downloads of these malicious Python packages month by month. PyPI reacted promptly by removing all of the malicious packages, thwarting further infections.
CRIL produced a graph highlighting the distribution of the number of packages downloaded in the last three months, further demonstrating the magnitude of the issue. Surprisingly, during their investigation, CRIL discovered that Python packages were being uploaded with intentionally misspelled names. This was done to deceive users’ with typographical errors during package installations, leading them to install the wrong package unknowingly. For example, a malicious package named ‘reaquests’ tried to mimic the widely used Python package called ‘requests,’ putting users at risk of infection.
As a result of their investigation, CRIL discovered several malware variants associated with these malicious packages. All of the packages employed a similar downloader, collectively accumulating 1355 downloads. The downloader retrieved a remote script from a designated URL, obfuscated using the Hyperion Python obfuscator, known to employ multi-layered obfuscation techniques.
Apart from the identical downloader, CRIL also discovered the Creal Stealer, an open-source which is commonly used by threat actors and distributed through Python packages. These packages were downloaded over 1300 times, once again highlighting the dangers of malicious Python packages.
During CRIL’s investigation, they stumbled upon a package named “Sintaxiscodigo-0.0.0-py3-none-any” with over 300 downloads. Further analysis revealed the package propagated EvilPIP, a malicious PyPI module. Although the specific module has since been removed, its upload demonstrated the intent to infect users.
CRIL urged users and organizations to exercise caution when installing Python packages, ensuring they obtain these packages from trusted sources. Regularly updating security measures and employing reliable antivirus software can provide additional protection against these threats. As a result, the surge in malicious Python packages has prompted PyPI to suspend the registration of new users and project names temporarily.
The investigations conducted by Cyble Research and Intelligence Labs have thrown light on the scope of the problem, including the use of misspelled package names, proliferation of new malware variants, and obfuscation techniques by threat actors. It is vital to recognize and react to these emerging trends in malicious Python packages by taking the necessary steps to protect against them.