Posted on 01/13/2024 9:53:25 AM PST by DoodleBob
PyPI is the official Python Package Index that currently contains 500,972 projects, 5,228,535 million releases, 9,950,103 million files, and 770,841 users. PyPI helps users locate and install software developed and released by the Python community as well as serving as a repository where developers can distribute their software.
Recently, cybersecurity specialist ESET discovered a series of malicious Python projects within PyPI, each of which deployed a customized backdoor containing cyberespionage functionality. The malicious code allowed file execution and file exfiltration, and could even -- in certain scenarios -- enable screenshots to be taken of a user's screen. ESET also reported that, in some cases, the W4SP Stealer (which siphons user data) or a clipboard monitor that steals cryptocurrency is delivered instead.
In total, 116 malicious packages in PyPI were uploaded across 53 projects and downloaded more than 10,000 times.
According to ESET researcher Marc-Etienne M.Léveillé, "Some malicious package names do look similar to other, legitimate packages, but we believe the main way they are installed by potential victims isn't via typosquatting, but social engineering, where they are walked through running pip to install an 'interesting' package for whatever reason."
In his blog post, "A pernicious potpourri of Python packages in PyPI," M.Léveillé said, "PyPI continues to be abused by cyber attackers to compromise Python programmers' devices." He continues, "This campaign displays a variety of techniques being used to include malware in Python packages. Python developers should thoroughly vet the code they download, especially checking for these techniques, before installing it on their systems. As well as continuing to abuse the open-source W4SP Stealer, the operators have also deployed a simple, but effective, backdoor. We expect that such abuse of PyPI will continue and advise caution when installing code from any public software repository."
By the time ESET published its findings, most of the packages had been taken down by PyPI. And, at this point, all the known malicious packages are now offline.
The operators behind this subterfuge used three different techniques for the campaign: placing a test module with minimal, slightly obfuscated malicious code; embedding PowerShell code into the setup.py file; and including only malicious code in the package that is slightly obfuscated.
On Windows, the backdoor was implemented in Python. On Linux, the backdoor used the Go language.
Given how widespread Python is, developers should vet any third-party code they use before adding it to their projects. ESET firmly believes the abuse of PyPI will continue. M.Léveillé went so far as to advise caution in "installing code from any public software repository."
With many firms and startups trying to build the next ChatGPT, and programmers liking freeware, I expect this kind of attack to become way more common.
Possible ping of interest.
A link describing Python Standard Library functionality:
https://docs.python.org/3/library/index.html
>>”PyPI continues to be abused by cyber attackers to compromise Python programmers’ devices.”
People are why we can’t have nice things.
I predicted this was going to be an Achilles’ Heel of AI programming: the package won’t koow enough either to avoid new backdoors in the wild, or to recognize when an unscrupulous developer is verbally telling the AI program to put in a malicious module.
Unfortunately, that is no surprise. And it only takes one a$$hole to lay that turd in the punchbowl and ruin it for everybody.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.