Malicious Python Packages Downloaded 75k Times

A malicious campaign targeting open-source platforms has been discovered, with hundreds of info-stealing Python packages found hiding within these repositories. These packages have been downloaded approximately 75,000 times and pose a significant threat to users.

According to a report by Checkmarx's Supply Chain Security team, the campaign has been active since early April and has been under active observation and monitoring by their researchers since. In their efforts, they discovered 272 packages with code specifically designed to steal sensitive data from targeted systems. Yehuda Gelb, a security researcher at Checkmarx, stated "the sheer volume and persistence of these deployments hinted at an attacker with a well-crafted agenda".

The malware has shown a steady evolution in its sophistication, transitioning from simple plaintext code to multilayered obfuscation. Furthermore, the malware targets a wide range of information, including Wi-Fi passwords, credentials, browsing history, and data from cryptocurrency wallet apps.

It also gathers information on the various antivirus tools that may be present on a victim’s system. In August 2023, the malware evolved to be able to shut off such defense systems on a compromised device.

That being said, one of the most concerning aspects of this malware is its ability to monitor the victim’s clipboard for cryptocurrency addresses, swapping them with the attacker’s address to divert payments. This tactic has proven lucrative for the attackers, who have stolen approximately $100,000 in cryptocurrency. Upon command, the malware can also take screenshots from the compromised system and steal files from the Desktop, Pictures, Documents, Music, Videos, and Downloads directories.

Open-source Python repositories, given their popularity, have become prime targets for hackers. The discovery of this malicious campaign underscores the vulnerabilities present in open-source platforms. Users are advised to exercise caution — scrutinize Python packages before you download them and ensure they come from a trusted source.